问题:
我在 Kubuntu Desktop 22.04 上连接到国外 wifi,并想使用 DNSOverTLS 将系统范围的 DNS 配置为 9.9.9.9 (quad9)。然而,在 dnsleaktest.com 上我仍然得到不同的 DNS。
我使用 Firefox 进行了测试,并将“DNS over HTTPS”设置为关闭。
在https://on.quad9.net我明白了符合预期:YES, You ARE using quad9
在 dnsleaktest.com 上,我得到了意外结果:
这是我所做的:
在受影响的 wifi 的 NetworkManager 中,我禁用了 IPv6,并将 IPv4 设置为自动(仅地址),并将一个空列表作为 DNS 服务器。终端中的结果配置是:
$ nmcli device
DEVICE TYPE STATE CONNECTION
wlo1 wifi connected TP-LINK_58DE
p2p-dev-wlo1 wifi-p2p disconnected --
lo loopback unmanaged --
$ nmcli device show wlo1
GENERAL.DEVICE: wlo1
GENERAL.TYPE: wifi
GENERAL.HWADDR: xx:xx:xx:xx:xx:xx
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: TP-LINK_58DE
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]: 192.168.0.112/24
IP4.GATEWAY: 192.168.0.1
IP4.ROUTE[1]: dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 600
IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.0.1, mt = 600
IP4.ROUTE[3]: dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP6.GATEWAY: --
我这样配置了 /etc/systemd/resolved.conf(只有最后几行是相关的,但为了完整性/错误检查,我提供了完整的文件):
$ cat /etc/systemd/resolved.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=yes
DNSOverTLS=yes
sudo systemctl restart systemd-resolved
和之后sudo systemctl restart NetworkManager
,这是最终的配置(整个输出粘贴在此处):
$ resolvectl status
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: foreign
Current DNS Server: 9.9.9.9#dns.quad9.net
DNS Servers: 9.9.9.9#dns.quad9.net
Fallback DNS Servers: 9.9.9.9#dns.quad9.net
DNS Domain: ~.
Link 2 (wlo1)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
在基本测试中它似乎有效:
$ resolvectl query archlinux.com
archlinux.com: 3.64.163.50 -- link: wlo1
-- Information acquired via protocol DNS in 1.1292s.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: cache network
$ dig archlinux.com
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> archlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60948
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;archlinux.com. IN A
;; ANSWER SECTION:
archlinux.com. 7200 IN A 3.64.163.50
;; Query time: 331 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Apr 06 09:30:08 CEST 2024
;; MSG SIZE rcvd: 58
$ ss -tuna | grep :853
tcp TIME-WAIT 0 0 192.168.0.112:48420 9.9.9.9:853
tcp ESTAB 0 0 192.168.0.112:49032 9.9.9.9:853
但剩下的问题是:为什么我在 dnsleaktest.com 上得到了不同的 DNS?
我尝试过的一些方法:
sudo resolvectl flush-caches
sudo resolvconf -u
- 在 NetworkManager 中的 IPv4 DNS 服务器列表中仅输入 9.9.9.9
- 在 NetworkManager 中的 IPv4 DNS 服务器列表中仅输入 127.0.0.53
- 已添加到和
dns=none
的[主要]部分/etc/NetworkManager/NetworkManager.conf
/etc/NetworkManager/conf.d/90-dns-none.conf
sudo systemctl restart systemd-resolved
sudo systemctl restart NetworkManager
- 重启
- 按照这个指南使用更简单的配置:https://www.ubuntubuzz.com/2022/04/enable-browsing-with-dns-over-tls-dot-on-ubuntu-made-easy.html
- 按照这个答案:https://askubuntu.com/a/1069429/1780395, IE
cd /etc/
mv resolv.conf resolv.conf-old
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo dpkg-reconfigure resolvconf
.结果为:
$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 29 Apr 8 09:10 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53
还没有帮助。你能帮我解决这个问题吗?
答案1
这似乎不是一个 DNS 泄漏。
该 IP 地址66.185.120.243
属于 WoodyNet, Inc. 组织。
以下是 Whois 查询的输出66.185.120.243,它列在 DNSLeak 测试的输出中:
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
NetRange: 66.185.112.0 - 66.185.127.255
CIDR: 66.185.112.0/20
NetName: WOODYN
NetHandle: NET-66-185-112-0-1
Parent: NET66 (NET-66-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: WoodyNet, Inc. (WOODYN)
RegDate: 2009-03-25
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/66.185.112.0
OrgName: WoodyNet, Inc.
OrgId: WOODYN
Address: 2351 Virginia St
City: Berkeley
StateProv: CA
PostalCode: 94709-1315
Country: US
RegDate: 2001-05-16
Updated: 2022-04-28
Ref: https://rdap.arin.net/registry/entity/WOODYN
OrgTechHandle: SHRES60-ARIN
OrgTechName: Shrestha, Kabindra
OrgTechPhone: +1-415-831-3111
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/SHRES60-ARIN
OrgAbuseHandle: BW1324-ARIN
OrgAbuseName: Woodcock, Bill
OrgAbusePhone: +1-415-831-3103
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://rdap.arin.net/registry/entity/BW1324-ARIN
OrgTechHandle: BW1324-ARIN
OrgTechName: Woodcock, Bill
OrgTechPhone: +1-415-831-3103
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/BW1324-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#
根据这个邮政在 SNB 论坛上,WoodyNet 属于 Quad9:
WoodyNet 就是 Quad9。Quad9.net 主页显示,它是与 Packet Clearinghouse (pch.net) 合作的。
看着Quad9 的网站,其中内容如下:
比尔·伍德科克 - 董事长比尔是数据包清算所 (Packet Clearing House) 的执行董事,该组织是一个国际非政府组织,负责建设和支持关键互联网基础设施,包括互联网交换点和域名系统的核心。
回顾 Whois 信息,Bill Woodcock 被列为 Abuse and Tech 的联系人,电子邮件地址是[email protected]
,即 Packet Clearing House。
此外,在文章中,DNS 至臻完美, 在中等的,有如下引文:
最简单的检查方法是运行在线 DNS 泄漏测试。执行此操作后,您应该会看到响应的 ISP 是 WoodyNet。
如果您想知道为什么会看到 WoodyNet,那是因为 Quad9 是一种所谓的任播 DNS,它会自动将查询路由到最近的服务器。虽然 Quad9 在全球 100 多个地点设有服务器,但它并不拥有自己的服务器。相反,Quad9 依靠 Packet Clearing House(位于 160 多个互联网交换点)为其托管 DNS 服务器。PCH 的执行董事是 Bill Woodcock,又名 Woody。因此,WoodyNet 应运而生。
最后,以下内容来自邮政在Y组合器来自一位自称是 Bill Woodcock 本人的人:
大家好。我是 Bill Woodcock,即“woodynet”的同名“woody”。也是 PCH 的执行董事和 Quad9 的董事会主席。它们是三家独立的公司,存在的原因不同,并且遵循不同的税收法规(PCH 和 Quad9 是公益性非营利组织,而 WoodyNet 的存在是为了支付应税交易的税款并保持非营利组织的账目清晰),但它们之间关系非常密切。
在这种情况下,您会看到 WoodyNet IP 和 IN-ADDR,因为 WoodyNet 正在向您正在交谈的 Quad9 任播实例提供传输。
此时,我会联系Quad9 支持以确认这不是 DNS 泄漏并且该服务器是他们的。
我联系了 quad9。他们提供了一个链接网络提供商/DNS 泄漏测试其网站上声明如下:
Quad9 在我们的全球网络中使用多个网络提供商。运行 DNS 泄漏测试时,预计会看到以下提供商拥有的 IP 地址:
推荐的 DNS 泄漏测试工具
dnscheck.tools
WoodyNet (AKA PCH.net) PCH.net GSL Networks i3D EdgeUno Equinix Metal (FKA: Packet, Packet.net, or Packethost) Path.net (Path Network)
这些组织也列在 Quad9 网站的赞助商页面上:quad9.net/about/sponsors
如果您只是想确定自己是否在使用 Quad9,您可以访问 on.quad9.net,而不必依赖 DNS 泄漏测试。但是,DNS 泄漏测试有助于确保您只使用 Quad9,这是确保您的所有 DNS 请求都受到 Quad9 保护所必需的。
关于您的设置
默认情况下/etc/resolv.conf
是 的符号链接/run/systemd/resolve/stub-resolv.conf
。此文件的内容指示127.0.0.53
为名称服务器。这是本地缓存存根解析器。
您可以通过下载Kubuntu 22.04.4 LTSISO,安装并运行以下命令:
ls -l /etc/resolv.conf
输出将是:
lrwxrwxrwx 1 root root 37 Mar 20 2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
接下来,resolvconf
默认情况下不会安装。因此您或其他人必须已在您的系统上安装了此包。使用与上述相同的 ISO 和全新安装,which resolvconf
在命令行中输入,它将返回而没有任何输出。resolveconf
对于您要执行的操作而言不是必需的。
如果您查看的输出,请注意顶部部分resolvectl status
中的以下行:Global
resolv.conf mode: foreign
此行的值告诉您一些信息,即文件/etc/resolv.conf
正在使用的模式。有四种不同的处理模式/etc/resolv.conf
:
模式 1(存根):使用存根解析器和搜索域,使用符号链接 /etc/resolv.conf 指向 /run/systemd/resolve/stub-resolv.conf
模式 2(静态):使用存根解析器,无需使用指向 /usr/lib/systemd/resolv.conf 的符号链接 /etc/resolv.conf 来搜索域
模式 3(上行链路):使用指向 /run/systemd/resolve/resolv.conf 的符号链接 /etc/resolv.conf 使用上行 DNS 名称服务器
方式四(国外):通过直接编辑 /etc/resolv.conf 来使用静态 DNS 名称服务器
来自 man 页面systemd-已解决:
/ETC/RESOLV.CONF top
Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are
supported:
• systemd-resolved maintains the
/run/systemd/resolve/stub-resolv.conf file for compatibility
with traditional Linux programs. This file lists the
127.0.0.53 DNS stub (see above) as the only DNS server. It
also contains a list of search domains that are in use by
systemd-resolved. The list of search domains is always kept
up-to-date. Note that /run/systemd/resolve/stub-resolv.conf
should not be used directly by applications, but only through
a symlink from /etc/resolv.conf. This file may be symlinked
from /etc/resolv.conf in order to connect all local clients
that bypass local DNS APIs to systemd-resolved with correct
search domains settings. This mode of operation is
recommended.
• A static file /usr/lib/systemd/resolv.conf is provided that
lists the 127.0.0.53 DNS stub (see above) as only DNS server.
This file may be symlinked from /etc/resolv.conf in order to
connect all local clients that bypass local DNS APIs to
systemd-resolved. This file does not contain any search
domains.
• systemd-resolved maintains the
/run/systemd/resolve/resolv.conf file for compatibility with
traditional Linux programs. This file may be symlinked from
/etc/resolv.conf and is always kept up-to-date, containing
information about all known DNS servers. Note the file
format's limitations: it does not know a concept of
per-interface DNS servers and hence only contains system-wide
DNS server definitions. Note that
/run/systemd/resolve/resolv.conf should not be used directly
by applications, but only through a symlink from
/etc/resolv.conf. If this mode of operation is used local
clients that bypass any local DNS API will also bypass
systemd-resolved and will talk directly to the known DNS
servers.
• Alternatively, /etc/resolv.conf may be managed by other
packages, in which case systemd-resolved will read it for DNS
configuration data. In this mode of operation
systemd-resolved is consumer rather than provider of this
configuration file.
Note that the selected mode of operation for this file is
detected fully automatically, depending on whether
/etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf
or lists 127.0.0.53 as DNS server.
因为您已经安装resolvconf
,所以此应用软件现在正在管理/etc/resolv.conf
,并且是模式foreign
在输出中列出的原因resolvectl status
。
运行 时sudo dpkg-reconfigure resolvconf
,输出表明将创建一个/etc/resolv.conf
指向 的符号链接/run/resolvconf/resolv.conf
。这是默认设置发生改变的地方。
我并不是说这个配置不正确。相反,我只是指出它不是默认配置,不需要安装resolvconf
。