使用 systemd 和 DNSOverTLS 时如何解决 DNS 泄漏

使用 systemd 和 DNSOverTLS 时如何解决 DNS 泄漏

问题:

我在 Kubuntu Desktop 22.04 上连接到国外 wifi,并想使用 DNSOverTLS 将系统范围的 DNS 配置为 9.9.9.9 (quad9)。然而,在 dnsleaktest.com 上我仍然得到不同的 DNS。

我使用 Firefox 进行了测试,并将“DNS over HTTPS”设置为关闭。

https://on.quad9.net我明白了符合预期YES, You ARE using quad9

在 dnsleaktest.com 上,我得到了意外结果:

dnsleaktest.com

这是我所做的:

在受影响的 wifi 的 NetworkManager 中,我禁用了 IPv6,并将 IPv4 设置为自动(仅地址),并将一个空列表作为 DNS 服务器。终端中的结果配置是:

$ nmcli device
DEVICE        TYPE      STATE         CONNECTION
wlo1          wifi      connected     TP-LINK_58DE
p2p-dev-wlo1  wifi-p2p  disconnected  --
lo            loopback  unmanaged     --

$ nmcli device show wlo1
GENERAL.DEVICE:                         wlo1
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         xx:xx:xx:xx:xx:xx
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     TP-LINK_58DE
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         192.168.0.112/24
IP4.GATEWAY:                            192.168.0.1
IP4.ROUTE[1]:                           dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 600
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 192.168.0.1, mt = 600
IP4.ROUTE[3]:                           dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP6.GATEWAY:                            --

我这样配置了 /etc/systemd/resolved.conf(只有最后几行是相关的,但为了完整性/错误检查,我提供了完整的文件):

$ cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=yes
DNSOverTLS=yes

sudo systemctl restart systemd-resolved和之后sudo systemctl restart NetworkManager,这是最终的配置(整个输出粘贴在此处):

$ resolvectl status
Global
           Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: foreign
  Current DNS Server: 9.9.9.9#dns.quad9.net
         DNS Servers: 9.9.9.9#dns.quad9.net
Fallback DNS Servers: 9.9.9.9#dns.quad9.net
          DNS Domain: ~.

Link 2 (wlo1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported

在基本测试中它似乎有效:

$ resolvectl query archlinux.com
archlinux.com: 3.64.163.50                     -- link: wlo1

-- Information acquired via protocol DNS in 1.1292s.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: cache network

$ dig archlinux.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> archlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60948
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;archlinux.com.                 IN      A

;; ANSWER SECTION:
archlinux.com.          7200    IN      A       3.64.163.50

;; Query time: 331 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Apr 06 09:30:08 CEST 2024
;; MSG SIZE  rcvd: 58


$ ss -tuna | grep :853
tcp   TIME-WAIT 0      0           192.168.0.112:48420        9.9.9.9:853
tcp   ESTAB     0      0           192.168.0.112:49032        9.9.9.9:853

但剩下的问题是:为什么我在 dnsleaktest.com 上得到了不同的 DNS?

我尝试过的一些方法:

cd /etc/
mv resolv.conf resolv.conf-old
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • sudo dpkg-reconfigure resolvconf.结果为:

在此处输入图片描述

$ ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 29 Apr  8 09:10 /etc/resolv.conf -> ../run/resolvconf/resolv.conf

$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

还没有帮助。你能帮我解决这个问题吗?

答案1

这似乎不是一个 DNS 泄漏。

该 IP 地址66.185.120.243属于 WoodyNet, Inc. 组织。

以下是 Whois 查询的输出66.185.120.243,它列在 DNSLeak 测试的输出中:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#


NetRange:       66.185.112.0 - 66.185.127.255
CIDR:           66.185.112.0/20
NetName:        WOODYN
NetHandle:      NET-66-185-112-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   WoodyNet, Inc. (WOODYN)
RegDate:        2009-03-25
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/66.185.112.0


OrgName:        WoodyNet, Inc.
OrgId:          WOODYN
Address:        2351 Virginia St
City:           Berkeley
StateProv:      CA
PostalCode:     94709-1315
Country:        US
RegDate:        2001-05-16
Updated:        2022-04-28
Ref:            https://rdap.arin.net/registry/entity/WOODYN


OrgTechHandle: SHRES60-ARIN
OrgTechName:   Shrestha, Kabindra 
OrgTechPhone:  +1-415-831-3111 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/SHRES60-ARIN

OrgAbuseHandle: BW1324-ARIN
OrgAbuseName:   Woodcock, Bill 
OrgAbusePhone:  +1-415-831-3103 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://rdap.arin.net/registry/entity/BW1324-ARIN

OrgTechHandle: BW1324-ARIN
OrgTechName:   Woodcock, Bill 
OrgTechPhone:  +1-415-831-3103 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/BW1324-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

根据这个邮政在 SNB 论坛上,WoodyNet 属于 Quad9:

WoodyNet 就是 Quad9。Quad9.net 主页显示,它是与 Packet Clearinghouse (pch.net) 合作的。

看着Quad9 的网站,其中内容如下:

比尔·伍德科克 - 董事长比尔是数据包清算所 (Packet Clearing House) 的执行董事,该组织是一个国际非政府组织,负责建设和支持关键互联网基础设施,包括互联网交换点和域名系统的核心。

回顾 Whois 信息,Bill Woodcock 被列为 Abuse and Tech 的联系人,电子邮件地址是[email protected],即 Packet Clearing House。

此外,在文章中,DNS 至臻完美, 在中等的,有如下引文:

最简单的检查方法是运行在线 DNS 泄漏测试。执行此操作后,您应该会看到响应的 ISP 是 WoodyNet。

如果您想知道为什么会看到 WoodyNet,那是因为 Quad9 是一种所谓的任播 DNS,它会自动将查询路由到最近的服务器。虽然 Quad9 在全球 100 多个地点设有服务器,但它并不拥有自己的服务器。相反,Quad9 依靠 Packet Clearing House(位于 160 多个互联网交换点)为其托管 DNS 服务器。PCH 的执行董事是 Bill Woodcock,又名 Woody。因此,WoodyNet 应运而生。

最后,以下内容来自邮政Y组合器来自一位自称是 Bill Woodcock 本人的人:

大家好。我是 Bill Woodcock,即“woodynet”的同名“woody”。也是 PCH 的执行董事和 Quad9 的董事会主席。它们是三家独立的公司,存在的原因不同,并且遵循不同的税收法规(PCH 和 Quad9 是公益性非营利组织,而 WoodyNet 的存在是为了支付应税交易的税款并保持非营利组织的账目清晰),但它们之间关系非常密切。

在这种情况下,您会看到 WoodyNet IP 和 IN-ADDR,因为 WoodyNet 正在向您正在交谈的 Quad9 任播实例提供传输。

此时,我会联系Quad9 支持以确认这不是 DNS 泄漏并且该服务器是他们的。

我联系了 quad9。他们提供了一个链接网络提供商/DNS 泄漏测试其网站上声明如下:

Quad9 在我们的全球网络中使用多个网络提供商。运行 DNS 泄漏测试时,预计会看到以下提供商拥有的 IP 地址:

推荐的 DNS 泄漏测试工具

dnscheck.tools

WoodyNet (AKA PCH.net)
PCH.net
GSL Networks
i3D
EdgeUno
Equinix Metal (FKA: Packet, Packet.net, or Packethost)
Path.net (Path Network)

这些组织也列在 Quad9 网站的赞助商页面上:quad9.net/about/sponsors

如果您只是想确定自己是否在使用 Quad9,您可以访问 on.quad9.net,而不必依赖 DNS 泄漏测试。但是,DNS 泄漏测试有助于确保您只使用 Quad9,这是确保您的所有 DNS 请求都受到 Quad9 保护所必需的。


关于您的设置

默认情况下/etc/resolv.conf是 的符号链接/run/systemd/resolve/stub-resolv.conf。此文件的内容指示127.0.0.53为名称服务器。这是本地缓存存根解析器。

您可以通过下载Kubuntu 22.04.4 LTSISO,安装并运行以下命令:

ls -l /etc/resolv.conf

输出将是:

lrwxrwxrwx 1 root root 37 Mar 20  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

接下来,resolvconf默认情况下不会安装。因此您或其他人必须已在您的系统上安装了此包。使用与上述相同的 ISO 和全新安装,which resolvconf在命令行中输入,它将返回而没有任何输出。resolveconf对于您要执行的操作而言不是必需的。

如果您查看的输出,请注意顶部部分resolvectl status中的以下行:Global

resolv.conf mode: foreign

此行的值告诉您一些信息,即文件/etc/resolv.conf正在使用的模式。有四种不同的处理模式/etc/resolv.conf

  • 模式 1(存根):使用存根解析器和搜索域,使用符号链接 /etc/resolv.conf 指向 /run/systemd/resolve/stub-resolv.conf

  • 模式 2(静态):使用存根解析器,无需使用指向 /usr/lib/systemd/resolv.conf 的符号链接 /etc/resolv.conf 来搜索域

  • 模式 3(上行链路):使用指向 /run/systemd/resolve/resolv.conf 的符号链接 /etc/resolv.conf 使用上行 DNS 名称服务器

  • 方式四(国外):通过直接编辑 /etc/resolv.conf 来使用静态 DNS 名称服务器

来自 man 页面systemd-已解决

/ETC/RESOLV.CONF         top

       Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are
       supported:

       •   systemd-resolved maintains the
           /run/systemd/resolve/stub-resolv.conf file for compatibility
           with traditional Linux programs. This file lists the
           127.0.0.53 DNS stub (see above) as the only DNS server. It
           also contains a list of search domains that are in use by
           systemd-resolved. The list of search domains is always kept
           up-to-date. Note that /run/systemd/resolve/stub-resolv.conf
           should not be used directly by applications, but only through
           a symlink from /etc/resolv.conf. This file may be symlinked
           from /etc/resolv.conf in order to connect all local clients
           that bypass local DNS APIs to systemd-resolved with correct
           search domains settings. This mode of operation is
           recommended.

       •   A static file /usr/lib/systemd/resolv.conf is provided that
           lists the 127.0.0.53 DNS stub (see above) as only DNS server.
           This file may be symlinked from /etc/resolv.conf in order to
           connect all local clients that bypass local DNS APIs to
           systemd-resolved. This file does not contain any search
           domains.

       •   systemd-resolved maintains the
           /run/systemd/resolve/resolv.conf file for compatibility with
           traditional Linux programs. This file may be symlinked from
           /etc/resolv.conf and is always kept up-to-date, containing
           information about all known DNS servers. Note the file
           format's limitations: it does not know a concept of
           per-interface DNS servers and hence only contains system-wide
           DNS server definitions. Note that
           /run/systemd/resolve/resolv.conf should not be used directly
           by applications, but only through a symlink from
           /etc/resolv.conf. If this mode of operation is used local
           clients that bypass any local DNS API will also bypass
           systemd-resolved and will talk directly to the known DNS
           servers.

       •   Alternatively, /etc/resolv.conf may be managed by other
           packages, in which case systemd-resolved will read it for DNS
           configuration data. In this mode of operation
           systemd-resolved is consumer rather than provider of this
           configuration file.

       Note that the selected mode of operation for this file is
       detected fully automatically, depending on whether
       /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf
       or lists 127.0.0.53 as DNS server.

因为您已经安装resolvconf,所以此应用软件现在正在管理/etc/resolv.conf,并且是模式foreign在输出中列出的原因resolvectl status

运行 时sudo dpkg-reconfigure resolvconf,输出表明将创建一个/etc/resolv.conf指向 的符号链接/run/resolvconf/resolv.conf。这是默认设置发生改变的地方。

在此处输入图片描述

我并不是说这个配置不正确。相反,我只是指出它不是默认配置,不需要安装resolvconf

相关内容