DNSCrypt似乎不加密查询
我正在尝试在Raspberry上安装一个DNS缓存服务器,使用Unbound和DNSCrypt。
Raspberry运行最新的Jessie Lite (无头Debian 8)。
我使用以下流行脚本设置DNSCrypt:https://github.com/simonclausen/dnscrypt-autoinstall
Unbound和DNSCrypt都运行良好:我的主计算机(192.168.1.64)成功地使用了Raspberry上的DNS服务器(192.168.1.65),我可以通过日志文件看到使用DNSCrypt的Unbound。
我的问题是,当我dig一个网站并通过Wireshark捕获时,我没有看到任何加密,只是返回标准查询。
我遗漏了什么?
下面是dig的响应:
$ dig debug.opendns.com txt
; <<>> DiG 9.9.5-9+deb8u8-Raspbian <<>> debug.opendns.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; ENDS: version: 0, flags:; upd: 4096
;; QUESTION SECTION:
;debug.opendns.com. IN TXT
;; AUTHORITY SECTION:
opendns.com. 2560 IN SOA auth1.opendns.com. noc.opendns.com. 1483610050 16384 2048 1048576 2560
;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 05 11:02:24 CET 2017
;; MSG SIZE rcvd: 92下面是Wireshark截图中的截图:
这是未绑定的日志:
[1483616499] unbound[5098:0] debug: module config: "iterator"
[1483616499] unbound[5098:0] notice: init module 0: iterator
[1483616499] unbound[5098:0] debug: target fetch policy for level 0 is 3
[1483616499] unbound[5098:0] debug: target fetch policy for level 1 is 2
[1483616499] unbound[5098:0] debug: target fetch policy for level 2 is 1
[1483616499] unbound[5098:0] debug: target fetch policy for level 3 is 0
[1483616499] unbound[5098:0] debug: target fetch policy for level 4 is 0
[1483616499] unbound[5098:0] debug: Forward zone server list:
[1483616499] unbound[5098:0] info: DelegationPoint<.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
[1483616499] unbound[5098:0] debug: cache memory msg=33040 rrset=33040 infra=1304 val=0
[1483616499] unbound[5098:0] info: start of service (unbound 1.4.22).
[1483616505] unbound[5098:0] debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
[1483616505] unbound[5098:0] info: resolving www.google.com. A IN
[1483616505] unbound[5098:0] info: processQueryTargets: www.google.com. A IN
[1483616505] unbound[5098:0] info: sending query: www.google.com. A IN
[1483616505] unbound[5098:0] debug: sending to target: <.> 127.0.0.1#40
[1483616505] unbound[5098:0] debug: cache memory msg=33040 rrset=33040 infra=1533 val=0
[1483616505] unbound[5098:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
[1483616505] unbound[5098:0] info: iterator operate: query www.google.com. A IN
[1483616505] unbound[5098:0] info: response for www.google.com. A IN
[1483616505] unbound[5098:0] info: reply from <.> 127.0.0.1#40
[1483616505] unbound[5098:0] info: query response was ANSWER
[1483616505] unbound[5098:0] info: finishing processing for www.google.com. A IN以下是未绑定的配置文件:
server:
auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
username: unbound
port: 53
logfile: "/var/log/unbound/unbound.log"
log-time-ascii: no
use-syslog: no
verbosity: 3
module-config: "iterator"
do-not-query-localhost: no
interface: 0.0.0.0
access-control: 127.0.0.1 allow
access-control: 192.168.1.0/24 allow
access-control: 10.8.0.0/24 allow
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
forward-first: no
remote-control:
control-enable: no下面是脚本生成的DNSCrypt的配置:
DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
DNSCRYPT_USER=dnscrypt
DNSCRYPT_RESOLVER=ns0.dnscrypt.is回答 1
Unix & Linux用户
发布于 2017-01-05 23:05:15
Wireshark捕获显示源和目的地都是本地IP地址。
因此,这只是记录您的计算机和Raspberry Pi之间的流量。这是正常的DNS流量。加密的流量在Raspberry和ns0.dnscrypt.is解析器之间,即互联网上的内容。
这是你应该做包捕获的地方。
或者,如果您希望验证计算机与Raspberry Pi之间的通信量,则客户端代理需要在您的计算机上运行,而在Raspberry上则需要运行一个DNSCrypt服务器(dnscrypt包装器或dnsdist)。
https://unix.stackexchange.com/questions/335046
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号