搭建mosdns和tpclash

mosdns和tpclash实现DNS防泄露和DNS防污染，如果要实现上述两种效果请使用nameserver修改版 请使用本地配置版，想要什么配置只需要修改/data/clash_config/default_config.yaml，本人使用为Debian10.

优点：没有openclash和openwrt花里胡哨，省心

缺点：规则需要放在github上，稍微有点麻烦

使用方法：1. 开系统代理，mixed端口7890，socks端口7891。
2. 改路由IP为这个IP，但是DNS要胡填一个，否则分流会失败。
2. Web-ui的密码是tpclash。

1. tpclash

tpclash已删库，下载链接：mega

安装tpclash

chmod u+x tpclash
./tpclash install

可执行文件位置：/usr/local/bin/tpclash 与 /usr/local/bin/tpclash.sh

本地配置文件：/etc/clash.yaml

修改clash.yaml

vim /etc/clash.yaml

# 修改为你的配置

远程配置文件

修改：vim /usr/local/bin/tpclash.sh

#!/usr/bin/bash

/usr/local/bin/tpclash --auto-fix tun -i "60m" -c "https://example.com/clash.yaml"

卸载tpclash

systemctl stop tpclash
tpclash uninstall

命令

重载配置
systemctl daemon-reload
启动
systemctl start tpclash
重启
systemctl restart tpclash
开机自启
systemctl enable tpclash

常用命令

systemctl start tpclash  # 启动服务
systemctl status tpclash # 
systemctl stop tpclash  # 停止服务
systemctl restart tpclash  # 重启服务
systemctl enable tpclash  # 开启自启动
systemctl disable tpclash  # 关闭自启动
journalctl -fu tpclash  # 查看日志
systemctl daemon-reload  # 重载服务配置

2. mosdns

release: https://github.com/IrineSistiana/mosdns/releases
wiki: https://irine-sistiana.gitbook.io/mosdns-wiki/mosdns-v5

创建相关配置文件

cp mosdns /usr/local/bin/
# 创建配置文件
mkdir -p /etc/mosdns/rules
touch config.yaml
mv config.yaml /etc/mosdns/
#cp direct-list.txt cn.txt /etc/mosdns/rules/

# custom_for_cndns.txt与cn.txt自动使用cn_edns
touch /etc/mosdns/rules/anti-ad-domains.txt
touch /etc/mosdns/rules/cn.txt
touch /etc/mosdns/rules/direct-list.txt
touch /etc/mosdns/rules/hosts
touch /etc/mosdns/rules/custom_for_cndns.txt
touch /etc/mosdns/rules/custom_for_worlddns.txt
touch /etc/mosdns/rules/ddnslist.txt
touch /etc/mosdns/rules/custom_black_list.txt
touch /etc/mosdns/rules/custom_for_jp_edns.txt
touch /etc/mosdns/rules/custom_for_us_edns.txt

# custom_for_jp_edns.txt
# regexp:github

运行测试一次：

/usr/local/bin/mosdns start -c /etc/mosdns/config.yaml -d /etc/mosdns

更新rules

sudo tee > /etc/mosdns/rules/update_rules <<'EOF'
#!/bin/bash

mirror_proxy=""  #以/结尾，比如: https://ghproxy.com/
mosdns_working_dir="/etc/mosdns"
mkdir -p /tmp/mosdns && curl ${mirror_proxy}https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/direct-list.txt > /tmp/mosdns/direct-list.txt && curl ${mirror_proxy}https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-domains.txt > /tmp/mosdns/anti-ad-domains.txt && curl ${mirror_proxy}https://raw.githubusercontent.com/Loyalsoldier/geoip/release/text/cn.txt > /tmp/mosdns/cn.txt && \cp -rf /tmp/mosdns/*.txt ${mosdns_working_dir}/rules && rm -rf /tmp/mosdns/* && echo 'update successful'
mosdns service restart
EOF

chmod u+x /etc/mosdns/rules/update_rules

# 手动更新
/etc/mosdns/rules/update_rules

# 每日4点自动更新规则
crontab -e

0 4 * * * /etc/mosdns/rules/update_rules

新建服务

位于/etc/systemd/system/mosdns.service

sudo tee > /etc/systemd/system/mosdns.service <<'EOF'
[Unit]
Description=mosdns daemon, DNS server.
After=network-online.target

[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/mosdns start -c /etc/mosdns/config.yaml -d /etc/mosdns

[Install]
WantedBy=multi-user.target
EOF

常用命令

systemctl daemon-reload
systemctl enable mosdns
systemctl start mosdns
systemctl restart mosdns
systemctl status mosdns
journalctl -fu mosdns  # 查看实时日志
tail -f /etc/mosdns/mosdns.log

可以实现白名单使用国内CDN，白名单外使用国外CDN，如果使用国外CDN返回的结果为国内IP，则使用国内CDN重新解析，避免DNS泄露与污染。

国外版mosdns config.yaml，国内版mosdns只需要将国外的DNS地址换成可用的纯净的DNS地址即可。推荐doh.apad.pro和dns.66a.net。

log:
  level: error
  production: true
  file: "./mosdns.log"

plugins:
# 定期更新中国域名列表到配置目录
# https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/direct-list.txt
  - tag: cn_domainList
    type: "domain_set"
    args:
      files:
        - "./rules/direct-list.txt"
        - "./rules/custom_for_cndns.txt"

# https://raw.githubusercontent.com/privacy-protection-tools/anti-AD/master/anti-ad-domains.txt
  - tag: block_domains
    type: "domain_set"
    args:
      files:
        - "./rules/anti-ad-domains.txt"
        - "./rules/custom_black_list.txt"

  - tag: custom_world_list
    type: "domain_set"
    args:
      files:
        - "./rules/custom_for_worlddns.txt"
        
  - tag: jp_edns_list
    type: "domain_set"
    args:
      files:
        - "./rules/custom_for_jp_edns.txt"
        
  - tag: us_edns_list
    type: "domain_set"
    args:
      files:
        - "./rules/custom_for_us_edns.txt"

  - tag: ddnslist
    type: "domain_set"
    args:
      files:
        - "./rules/ddnslist.txt"

# 定期更新IP列表到配置目录
# https://raw.githubusercontent.com/Loyalsoldier/geoip/release/text/cn.txt
  - tag: cn_ipList
    type: "ip_set"
    args:
      files:
        - "./rules/cn.txt"

# google support ECS 
  - tag: ecs_DNS
    type: "forward"
    args:
      upstreams:
        - tag: google_doh
          addr: "https://dns.google/dns-query"
          #dial_addr: "8.8.8.8"
          bootstrap: "8.8.8.8"
          #socks5: "127.0.0.1:7890"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: google_dot
          addr: "tls://dns.google"
          #dial_addr: "8.8.8.8"
          bootstrap: "8.8.8.8"
          #socks5: "127.0.0.1:7890"
          enable_pipeline: true
          insecure_skip_verify: false

# 国外DNS
  - tag: world_DNS
    type: "forward"
    args:
      concurrent: 2
      upstreams:
        - tag: cloudflare_doh
          addr: "https://one.one.one.one/dns-query"
          dial_addr: "1.0.0.1"
          bootstrap: "8.8.8.8"
          #socks5: "127.0.0.1:7890"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: quad9_dot
          addr: "tls://dns10.quad9.net"
          bootstrap: "8.8.8.8"
          #socks5: "127.0.0.1:7890"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: opendns_doh
          addr: "https://doh.opendns.com/dns-query"
          bootstrap: "8.8.8.8"
          #socks5: "127.0.0.1:7890"
          enable_pipeline: true
          insecure_skip_verify: false

# 国内DNS
  - tag: cn_DNS
    type: "forward"
    args:
      concurrent: 2
      # 为什么不使用阿里腾讯114等知名DNS？因为它们是根据请求者IP来返回解析结果。
      upstreams:
        - tag: OneDNS
          addr: "udp://52.80.52.52"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: CNNIC_SDNS
          addr: "udp://1.2.4.8"
          enable_pipeline: true

        - tag: OneDNS_dot
          addr: "tls://dot-pure.onedns.net"
          bootstrap: "223.6.6.6"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: DNSπ
          addr: "tls://101.226.4.6"
          enable_pipeline: true
          insecure_skip_verify: false

# 国内mosdns请使用DoT、DoH等加密方式
#        - tag: dnspod_doh
#          addr: "https://doh.pub/dns-query"
#          bootstrap: "223.6.6.6"
#          enable_pipeline: true
#          insecure_skip_verify: false

#        - tag: ali_dot
#          addr: "tls://223.5.5.5"
#          insecure_skip_verify: false

  - tag: cn_fallback_DNS
    type: "forward"
    args:
      concurrent: 2
      upstreams:
        - tag: dnspod_doh
          addr: "https://doh.pub/dns-query"
          bootstrap: "223.6.6.6"
          enable_pipeline: true
          insecure_skip_verify: false

        - tag: 360_doh
          addr: "https://doh.360.cn/dns-query"
          enable_pipeline: true

        - tag: ali_dot
          addr: "tls://223.5.5.5"
          insecure_skip_verify: false

        - tag: easymosdns_doh
          addr: "https://doh.apad.pro/dns-query"
          bootstrap: "223.6.6.6"
          enable_pipeline: true
          insecure_skip_verify: false

# cache
  - tag: cache
    type: "cache"
    args:
      size: 65535
      dump_file: "./cache.dump"
      lazy_cache_ttl: 86400
      dump_interval: 600

# hosts
  - tag: custom_hosts
    type: "hosts"
    args:
      files:
        - "./rules/hosts"

# 修改 TTL
  - tag: modify_ddns_ttl
    type: "sequence"
    args:
      - exec: ttl 1-5

  - tag: modify_ttl
    type: "sequence"
    args:
      - exec: ttl 5-10

  - tag: modify_black_ttl
    type: "sequence"
    args:
      - exec: ttl 600-3600

  - tag: modify_resp_ttl
    type: "sequence"
    args:
      - matches: qname $ddnslist
        exec: mark 123   # 123为q-ddns ，456为q-bloke
      - matches: qname $block_domains
        exec: mark 456
      - matches: mark 123
        exec: jump modify_ddns_ttl
      - matches: mark 456
        exec: jump modify_black_ttl
      - matches: 
        - "!mark 123"
        - "!mark 456"
        exec: jump modify_ttl

# 国外解析
  - tag: world_resolve
    type: "sequence"
    args:
      - exec: $world_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary world_DNS
      - matches: "has_resp"
        exec: accept

# 国内解析
  - tag: cn_resolve
    type: "sequence"
    args:
      - exec: ecs 123.112.0.0
      - exec: $cn_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary cn_DNS

  - tag: cn_fallback_resolve
    type: "sequence"
    args:
      - exec: ecs 123.112.0.0
      - exec: $cn_fallback_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary cn_fallback_DNS

# ecs_for_jp github
  - tag: ecs_jp_resolve
    type: "sequence"
    args:
      - exec: ecs 1.5.0.0
      - exec: $ecs_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary ecs_jp_resolve
      - matches: "has_resp"
        exec: accept

# ecs_for_us
  - tag: ecs_us_resolve
    type: "sequence"
    args:
      - exec: ecs 4.80.0.0
      - exec: $ecs_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary ecs_us_resolve
      - matches: "has_resp"
        exec: accept

# ecs_for_cn
  - tag: ecs_cn_resolve
    type: "sequence"
    args:
      - exec: ecs 123.112.0.0
      - exec: $ecs_DNS
      - exec: jump modify_resp_ttl
      - exec: query_summary ecs_cn_resolve
      - matches: "has_resp"
        exec: accept

  - tag: match_block_domain
    type: "sequence"
    args:
      - exec: black_hole 127.0.0.1 ::1 0.0.0.0
      - exec: query_summary block_domains

  - tag: custom_hosts_resp
    type: "sequence"
    args:
      - exec: jump modify_resp_ttl
      - matches: "has_resp"
        exec: query_summary custom_hosts
      - matches: "has_resp"
        exec: accept

  - tag: hit_cache_resp
    type: "sequence"
    args:
      - exec: jump modify_resp_ttl
      - matches: "has_resp"
        exec: query_summary hit_cache
      - matches: "has_resp"
        exec: accept

# 拒绝
  - tag: query_is_reject
    type: "sequence"
    args:
      - matches: "qname $block_domains"
        exec: jump match_block_domain
      - matches: qtype 65
        exec: reject 5
      - matches: "has_resp"
        exec: accept

  - tag: fallback_world
    type: "fallback"
    args:
      primary: ecs_cn_resolve    # 主可执行插件的 tag
      secondary: world_resolve   # 副可执行插件的 tag
      threshold: 1500             # 无响应回滚阈值。单位毫秒。默认 500 。
      always_standby: false      # 副可执行插件始终待命。 

  - tag: fallback_cn
    type: "fallback"
    args:
      primary: cn_resolve             # 主可执行插件的 tag
      secondary: cn_fallback_resolve  # 副可执行插件的 tag
      threshold: 2000                 # 无响应回滚阈值。单位毫秒。默认 500 。
      always_standby: false           # 副可执行插件始终待命。 

  - tag: fallback_cn_seq
    type: "sequence"
    args:
      - exec: $fallback_cn
      #- matches: "has_wanted_ans"
      - matches: "resp_ip $cn_ipList"
        exec: accept

  - tag: fallback_world_seq
    type: "sequence"
    args:
      - exec: $fallback_world
      - matches: "has_resp"
        exec: accept

# 解析流程
  - tag: resolve_process
    type: "sequence"
    args:
      - exec: prefer_ipv4
      - exec: $custom_hosts
      - matches: "has_resp"
        exec: goto custom_hosts_resp

      - matches: "!qname $ddnslist"
        exec: $cache
      - matches: "has_resp"
        exec: goto hit_cache_resp

      - matches: "qname $jp_edns_list || github.com"
        exec: jump ecs_jp_resolve
      - matches: "qname $us_edns_list"
        exec: jump ecs_us_resolve
      - matches: "qname $custom_world_list || $ddnslist"
        exec: goto fallback_world_seq
      - exec: jump query_is_reject
      - matches: "qname $cn_domainList"
        exec: jump fallback_cn_seq
 
      - exec: goto fallback_world_seq

# DNS服务
  - tag: udp_server
    type: "udp_server"
    args:
      entry: resolve_process
      listen: "127.0.0.1:53"
  - tag: tcp_server
    type: "tcp_server"
    args:
      entry: resolve_process
      listen: "127.0.0.1:53"
        #cert: "" # 配置 cert 和 key 后会启用 TLS (DoT),别忘记修改为853端口。
        #key:  "" 
        #idle_timeout: 10       # 空连接超时。单位秒。默认 10。

#  - tag: quic_server
#    type: "quic_server"
#    args:
#      entry: resolve_process  # 可执行插件的 tag。
#      listen: "0.0.0.0:853" # 监听地址。
#      cert: ""
#      key:  "" 
#      idle_timeout: 30       # 空连接超时。单位秒。默认 30。

  - tag: server_http
    type: "http_server"
    args:
      entries:                 # []extry
        - path: /dns-query     # 本路径执行
          exec: resolve_process # 可执行插件的 tag。
      src_ip_header: "X-Real-IP"  # 从 HTTP 头获取用户 IP。
      listen: 127.0.0.1:4588 # 监听地址。
      cert: "" # 留空 cert 和 key 后会禁用 TLS。 
      key: ""
      idle_timeout: 10 # 空连接超时。单位秒。默认 30。

建议国内域名解析使用国内服务器进行解析，否则有时就算加上edns解析出来还是国外IP。

国外mosdns和国内mosdns配置的区别在于，国外的IP使用国内知名DNS解析国内域名有可能会获取到国外的节点，会使访问速度变慢，所以国外mosdns要使用非知名DNS解析来获取国内域名IP。

建议使用国内mosdns（可以使用DOT）和国外mosdns（只能使用DOH）搭配使用，国内的负责解析国内域名（速度快），国外的负责无污染的域名解析（安全）。

如果本地搭建的话请使用DoT、DoH等加密方式。

PS. DoT 853端口活了不到2个小时，建议拿国内服务器中转。
安卓的私人DNS需要使用DoT。

server
{
    #listen 80;
    listen 443 ssl http2;
    server_name domain; #多个域名中间空格隔开
    ssl_certificate        crt; 
    ssl_certificate_key    key;

   location /dns-query {
        proxy_pass http://127.0.0.1:4588/dns-query;
        proxy_set_header  X-Real-IP  $remote_addr;
        access_log /www/wwwlogs/dns-query.log;
        error_log /www/wwwlogs/dns-query.err.log;
   }
}

域名匹配规则

以 domain: 开头，域匹配。e.g: domain:google.com 会匹配自身 google.com，以及其子域名 www.google.com, maps.l.google.com 等。

以 full: 开头，完整匹配。e.g: full:google.com 只会匹配自身。

以 keyword: 开头，关键字匹配。e.g: keyword:google.com 会匹配包含这个字段的域名，如 google.com.hk, www.google.com.hk。

以 regexp: 开头，正则匹配(Golang 标准)。e.g: regexp:.+\.google\.com$。

匹配方式按如下顺序生效: full > domain > regexp > keyword。

性能:

domain 和 full 匹配使用 HashMap，复杂度 O(1)。每 1w 域名约占用 1M 内存。

keyword 和 regexp 匹配需遍历，复杂度 O(n)。

PS. tun模式tpclash会自动开启转发

echo 1 > /proc/sys/net/ipv4/ip_forward

3. 效果

https://browserleaks.com/dns

https://www.dnsleaktest.com/

https://ipleak.net/

4. 国内外常用DNS

国内

腾讯 DNS

支持 ECS

IPv4: 119.29.29.29
DoH: https://1.12.12.12/dns-query
DoH: https://120.53.53.53/dns-query
DoH: https://doh.pub/dns-query
DoH: https://sm2.doh.pub/dns-query (国密)
DoT: tls://dot.pub
DoT: tls://1.12.12.12
DoT: tls://120.53.53.53

阿里 DNS

支持 ECS

IPv4: 223.5.5.5
IPv4: 223.6.6.6
DoH: https://223.5.5.5/dns-query
DoH: https://223.6.6.6/dns-query
DoH: https://dns.alidns.com/dns-query
DoT: tls://dns.alidns.com

CNNIC SDNS

Only UDP

国外服务器解析得到国内IP

IPv4: 1.2.4.8

DNS 派

支持ECS、DoT

IPv4: 101.226.4.6
IPv4: 218.30.118.6  (电信/移动/铁通)
IPv4: 123.125.81.6
IPv4: 140.207.198.6  (联通)
DoT: tls://101.226.4.6

oneDNS

https://www.onedns.net/personal

IPv4: 52.80.66.66
IPv4: 52.80.66.66
IPv4: 117.50.11.11  (不稳定)
DoT: tls://dot-pure.onedns.net  (纯享版)
DoT: tls://dot.onedns.net  (拦截版)
DoH: https://doh.onedns.net/dns-query  # DoH测试无法使用
DoH: https://doh-pure.onedns.net/dns-query  # DoH测试无法使用

EasyMosdns

https://apad.pro/dns-doh/

【境内域名】使用AliDNS本地查询，部分域名使用DNSPod补充查询

【境外域名】使用GoogleDNS与CloudflareDNS通过加密隧道远程查询

无污染、支持EDNS，解析精准度极高，IP分流远程加密查询上游DNS，保护隐私，境外域名拦截垃圾广告，境内域名无拦截，多级DNS缓存，加速全球域名查询响应。

DoH: https://doh.apad.pro/dns-query

国外

Cloudflare DNS

IPv4: 1.0.0.1
IPv4: 1.1.1.1
DoH: https://1.1.1.1/dns-query
DoH: https://1.0.0.1/dns-query
DoH: https://cloudflare-dns.com/dns-query
DoH: https://one.one.one.one/dns-query
DoT: tls://1.1.1.1
DoT: tls://1.0.0.1
DoT: tls://one.one.one.one
DoT: tls://1dot1dot1dot1.cloudflare-dns.com

Google DNS

支持EDNS

IPv4: 8.8.8.8
IPv4: 8.8.4.4
DoH: https://8.8.8.8/dns-query
DoH: https://8.8.4.4/dns-query
DoH: https://dns.google/dns-query
DoT: tls://8.8.8.8
DoT: tls://8.8.4.4
DoT: tls://dns.google

IBM Quad9

#推荐：Malware Blocking、DNSSEC Validation（这是最典型的配置）
IPv4: 9.9.9.9
IPv4: 149.112.112.112
DoH: https://dns.quad9.net/dns-query
DoT: tls://9.9.9.9
DoT: tls://dns.quad9.net

#使用 ECS 保护：恶意软件阻止、DNSSEC 验证、启用 ECS
IPv4: 9.9.9.11
IPv4: 149.112.112.11
DoH: https://dns11.quad9.net/dns-query
DoT: tls://9.9.9.11
DoT: tls://dns11.quad9.net

#不安全：没有恶意软件阻止，没有 DNSSEC 验证（仅限专家！）
IPv4: 9.9.9.10
IPv4: 149.112.112.10
DoH: https://dns10.quad9.net/dns-query
DoT: tls://9.9.9.10
DoT: tls://dns10.quad9.net

OpenDNS

IPv4: 208.67.222.222
IPv4: 208.67.220.220
DoH: https://doh.opendns.com/dns-query
DoH: https://doh.familyshield.opendns.com/dns-query
DoT: tls://208.67.222.222

AdGuard DNS

#无过滤，不拦截
IPv4: 94.140.14.140
IPv4: 94.140.15.15
DoH: https://dns-unfiltered.adguard.com/dns-query
DoT: tls://dns-unfiltered.adguard.com
DoQ: quic://dns-unfiltered.adguard.com
 
#过滤广告和跟踪
IPv4: 94.140.14.14
IPv4: 94.140.15.15
DoH: https://dns.adguard.com/dns-query
DoT: tls://dns.adguard.com
DoQ: quic://dns.adguard.com
 
#家庭过滤：开启安全搜索和安全模式选项、拦截成人内容，并且屏蔽广告和跟踪器
IPv4: 94.140.14.15
IPv4: 94.140.15.16
DoH: https://dns-family.adguard.com/dns-query
DoT: tls://dns-family.adguard.com
DoQ: quic://dns-family.adguard.com

5. 参考或引用

https://irine-sistiana.gitbook.io/mosdns-wiki/mosdns-v5

https://blog.0ne.day/i/mosdns-dns-c-0KfHuTo35/

https://hgl2.com/2023/install-mosdns-in-macos/

https://github.com/Loyalsoldier/v2ray-rules-dat/tree/release

https://github.com/privacy-protection-tools/anti-AD

https://github.com/Loyalsoldier/geoip/tree/release/text

https://github.com/pmkol/easymosdns

https://ip.cn/dns.html

https://www.cccitu.com/2205354.html