Jump to content

dnscrypt-proxy - Resolver timeouts


Recommended Posts

Возможно ли поднять в OPKG lib библиотеку

/opt/etc/init.d # opkg list | grep libsodium
libsodium - 1.0.12-1 - NaCl (pronounced "salt") is a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc. NaCl's goal is to provide all of the core operations needed to build higher-level cryptographic tools. Sodium is a portable, cross-compilable, installable, packageable fork of NaCl (based on the latest released upstream version nacl-20110221), with a compatible API. The design choices, particularly in regard to the Curve25519 Diffie-Hellman function, emphasize security (whereas NIST curves emphasize "performance" at the cost of security), and "magic constants" in NaCl/Sodium have clear rationales. The same cannot be said of NIST curves, where the specific origins of certain constants are not described by the standards. And despite the emphasis on higher security, primitives are faster across-the-board than most implementations of the NIST standards.
/opt/etc/init.d # 

до релиза 1.0.13

https://github.com/jedisct1/dnscrypt-proxy/issues/542

Link to comment
Share on other sites

  • 2 weeks later...

ОК и СПС

Поставил, запустил. Разберусь с релизами сейчас.

/opt/etc/init.d # lsof | grep libsodium
dnscrypt- 5301        root  mem       REG        8,2   464288       4357 /opt/lib/libsodium.so.18.3.0
/opt/etc/init.d # 

Да это он

_sodium_malloc 1.0.13 ...

 

Edited by vasek00
Link to comment
Share on other sites

Ну вообще порадовали.

Пока все запустилось.

Скрытый текст

dnsmasq   5277      nobody  cwd       DIR       31,4      202         71 /
dnsmasq   5277      nobody  rtd       DIR       31,4      202         71 /
dnsmasq   5277      nobody  txt       REG        8,2   282388       6321 /opt/sbin/dnsmasq
dnsmasq   5277      nobody  mem       REG        8,2    49680       4109 /opt/lib/libnss_files-2.25.so
dnsmasq   5277      nobody  mem       REG        8,2    17764       4257 /opt/lib/libmnl.so.0.2.0
dnsmasq   5277      nobody  mem       REG        8,2  1616316       4129 /opt/lib/libc-2.25.so
dnsmasq   5277      nobody  mem       REG        8,2    93848       4131 /opt/lib/libgcc_s.so.1
dnsmasq   5277      nobody  mem       REG        8,2    24944       4255 /opt/lib/libnfnetlink.so.0.2.0
dnsmasq   5277      nobody  mem       REG        8,2   118740       4253 /opt/lib/libnetfilter_conntrack.so.3.6.0
dnsmasq   5277      nobody  mem       REG        8,2   150220       4128 /opt/lib/ld-2.25.so
dnsmasq   5277      nobody    0u      CHR        1,3      0t0       1053 /dev/null
dnsmasq   5277      nobody    1u      CHR        1,3      0t0       1053 /dev/null
dnsmasq   5277      nobody    2u      CHR        1,3      0t0       1053 /dev/null
dnsmasq   5277      nobody    3u  netlink                 0t0      91211 ROUTE
dnsmasq   5277      nobody    4u     IPv4      91213      0t0        UDP 192.168.1.100:domain
dnsmasq   5277      nobody    5u     IPv4      91214      0t0        TCP 192.168.1.100:domain (LISTEN)
dnsmasq   5277      nobody    6u     IPv4      91215      0t0        UDP localhost:domain
dnsmasq   5277      nobody    7u     IPv4      91216      0t0        TCP localhost:domain (LISTEN)
dnsmasq   5277      nobody    8u     IPv6      91217      0t0        UDP [fe80::...8]:domain
dnsmasq   5277      nobody    9u     IPv6      91218      0t0        TCP [fe80::...8]:domain (LISTEN)
dnsmasq   5277      nobody   10u     IPv6      91219      0t0        UDP localhost:domain
dnsmasq   5277      nobody   11u     IPv6      91220      0t0        TCP localhost:domain (LISTEN)
dnsmasq   5277      nobody   12r  a_inode        0,7        0          4 inotify
dnsmasq   5277      nobody   13r     FIFO        0,6      0t0      91225 pipe
dnsmasq   5277      nobody   14w     FIFO        0,6      0t0      91225 pipe
dnsmasq   5277      nobody   15u     unix 0x84c62800      0t0      89329 type=DGRAM
dnscrypt- 6047        root  cwd       DIR        8,2     1024     245764 /opt/etc/init.d
dnscrypt- 6047        root  rtd       DIR       31,4      202         71 /
dnscrypt- 6047        root  txt       REG        8,2   158416       6327 /opt/sbin/dnscrypt-proxy
dnscrypt- 6047        root  mem       REG        8,2   122696       4123 /opt/lib/libpthread-2.25.so
dnscrypt- 6047        root  mem       REG        8,2  1616316       4129 /opt/lib/libc-2.25.so
dnscrypt- 6047        root  mem       REG        8,2    93848       4131 /opt/lib/libgcc_s.so.1
dnscrypt- 6047        root  mem       REG        8,2   996704       4130 /opt/lib/libm-2.25.so
dnscrypt- 6047        root  mem       REG        8,2    10664       4120 /opt/lib/libdl-2.25.so
dnscrypt- 6047        root  mem       REG        8,2   464288       4357 /opt/lib/libsodium.so.18.3.0
dnscrypt- 6047        root  mem       REG        8,2    36628       4325 /opt/lib/libltdl.so.7.3.0
dnscrypt- 6047        root  mem       REG        8,2   150220       4128 /opt/lib/ld-2.25.so
dnscrypt- 6047        root    0r      CHR        1,3      0t0       1053 /dev/null
dnscrypt- 6047        root    1w      CHR        1,3      0t0       1053 /dev/null
dnscrypt- 6047        root    2w      CHR        1,3      0t0       1053 /dev/null
dnscrypt- 6047        root    3r      CHR        1,9      0t0       1070 /dev/urandom
dnscrypt- 6047        root    4u     unix 0x84c62e00      0t0      99913 type=DGRAM
dnscrypt- 6047        root    5u  a_inode        0,7        0          4 [eventpoll]
dnscrypt- 6047        root    6u     unix 0x84c62600      0t0      99914 type=STREAM
dnscrypt- 6047        root    7u     unix 0x85b0be00      0t0      99915 type=STREAM
dnscrypt- 6047        root    8r      CHR        1,9      0t0       1070 /dev/urandom
dnscrypt- 6047        root    9u     IPv4      99916      0t0        UDP localhost:60053
dnscrypt- 6047        root   10u     IPv4      99917      0t0        UDP *:43689
dnscrypt- 6047        root   11u     IPv4      99918      0t0        TCP localhost:60053 (LISTEN)

 

Edited by vasek00
Link to comment
Share on other sites

1 час назад, TheBB сказал:

нужны тесты, поставляется as is... радоваться рано

Это понятно, нужно время на оценку возможной проблемы (по сравнению с той что была) и то что она случайная или постоянная.

Link to comment
Share on other sites

За сутки с небольшим - анализ работы на много лучше чем было ранее (ощущение по отзывчивости). Так проверял в основном udp работу при конфиге ниже :

Скрытый текст

DNSmasq

no-resolv
interface=br0
bind-interfaces
listen-address=192.168.1.100
#except-interface=lo
server=127.0.0.2#60053
addn-hosts=/opt/tmp/hosts0
addn-hosts=/opt/tmp/malwaredom_block.host
addn-hosts=/opt/tmp/mvps_block.host
cache-size=150 и так же с cache-size=0
log-queries
log-facility=/opt/var/log/dnsmasq.log
log-async=25

 

dnscrypt-proxy --local-address=127.0.0.2:65053 --daemonize –edns-payload-size=1252 -R cisco -l /opt/tmp/dnscrypt-proxy.60053.log -m 7

-m --loglevel=<level>: don't log events with priority above this level after the service has been started up. Default is 6, the value for LOG_INFO. Valid values are 0 (system is unusable), 1 (action must be taken immediately), 2 (critical conditions), 3 (error conditions), 4 (warning conditions), 5 (normal but significant condition), 6 (informational) and 7 (debug-level messages).

Созданный dnscrypt-proxy.60053.log чистый с момента запуска в нем тишина. Пока без замечаний.

Sun Aug  5 11:39:29 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5
Sun Aug  5 11:39:29 2017 [INFO] Generating a new session key pair
Sun Aug  5 11:39:29 2017 [INFO] Done
Sun Aug  5 11:39:29 2017 [INFO] Server certificate with serial #1493333488 received
Sun Aug  5 11:39:29 2017 [INFO] This certificate is valid
Sun Aug  5 11:39:29 2017 [INFO] Chosen certificate #1493333488 is valid from [2017-03-24] to [2018-03-24]
Sun Aug  5 11:39:29 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Sun Aug  5 11:39:29 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Sun Aug  5 11:39:29 2017 [NOTICE] Proxying from 127.0.0.2:60053 to 208.67.220.220:443
Sun Aug  5 12:41:00 2017 [INFO] Refetching server certificates
Sun Aug  5 12:41:00 2017 [INFO] Server certificate with serial #1493333488 received
Sun Aug  5 12:41:00 2017 [INFO] This certificate is valid
Sun Aug  5 12:41:00 2017 [INFO] Chosen certificate #1493333488 is valid from [2017-03-24] to [2018-03-24]
Sun Aug  5 12:41:00 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Sun Aug  5 12:41:00 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
....

По dnsmasq log

Скрытый текст

Aug  5 14:17:22 dnsmasq[7303]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth no-DNSSEC no-ID loop-detect inotify
Aug  5 14:17:22 dnsmasq[7303]: using nameserver 127.0.0.2#60053
Aug  5 14:17:23 dnsmasq[7303]: read /opt/etc/hosts - 2 addresses
Aug  5 14:17:23 dnsmasq[7303]: read /opt/tmp/mvps_block.host - 13273 addresses
Aug  5 14:17:23 dnsmasq[7303]: read /opt/tmp/malwaredom_block.host - 1157 addresses
Aug  5 14:17:23 dnsmasq[7303]: read /opt/tmp/hosts0 - 101 addresses
Aug  5 14:17:25 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:17:25 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:17:26 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:17:26 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:17:27 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:17:27 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:17:29 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:17:29 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:17:33 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:17:33 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:18:04 dnsmasq[7303]: query[A] mail.yandex.ru from 192.168.1.2
Aug  5 14:18:04 dnsmasq[7303]: forwarded mail.yandex.ru to 127.0.0.2
Aug  5 14:18:05 dnsmasq[7303]: query[A] mail.yandex.ru from 192.168.1.2
Aug  5 14:18:05 dnsmasq[7303]: forwarded mail.yandex.ru to 127.0.0.2
Aug  5 14:18:06 dnsmasq[7303]: query[A] mail.yandex.ru from 192.168.1.2
Aug  5 14:18:06 dnsmasq[7303]: forwarded mail.yandex.ru to 127.0.0.2
Aug  5 14:18:08 dnsmasq[7303]: query[A] mail.yandex.ru from 192.168.1.2
Aug  5 14:18:08 dnsmasq[7303]: forwarded mail.yandex.ru to 127.0.0.2
Aug  5 14:18:09 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:18:09 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:18:10 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:18:10 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:18:11 dnsmasq[7303]: query[A] teredo.ipv6.microsoft.com from 192.168.1.2
Aug  5 14:18:11 dnsmasq[7303]: forwarded teredo.ipv6.microsoft.com to 127.0.0.2
Aug  5 14:18:12 dnsmasq[7303]: query[A] mail.yandex.ru from 192.168.1.2
Aug  5 14:18:12 dnsmasq[7303]: forwarded mail.yandex.ru to 127.0.0.2

...

Aug  5 14:19:57 dnsmasq[7303]: query[A] fonts.googleapis.com from 192.168.1.2
Aug  5 14:19:57 dnsmasq[7303]: forwarded fonts.googleapis.com to 127.0.0.2
Aug  5 14:19:57 dnsmasq[7303]: reply fonts.googleapis.com is <CNAME>
Aug  5 14:19:57 dnsmasq[7303]: reply googleadapis.l.google.com is 173.194.222.95
Aug  5 14:19:57 dnsmasq[7303]: query[A] googleadapis.l.google.com from 192.168.1.2
Aug  5 14:19:57 dnsmasq[7303]: forwarded googleadapis.l.google.com to 127.0.0.2
Aug  5 14:19:57 dnsmasq[7303]: reply googleadapis.l.google.com is 173.194.222.95
Aug  5 14:19:57 dnsmasq[7303]: query[AAAA] googleadapis.l.google.com from 192.168.1.2
Aug  5 14:19:57 dnsmasq[7303]: forwarded googleadapis.l.google.com to 127.0.0.2
Aug  5 14:19:57 dnsmasq[7303]: reply googleadapis.l.google.com is 2a00:1450:4010:c07::5f

...

Aug  5 14:20:07 dnsmasq[7303]: query[A] rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: reply rbc.ru is 80.68.253.9
Aug  5 14:20:07 dnsmasq[7303]: reply rbc.ru is 185.72.229.9
Aug  5 14:20:07 dnsmasq[7303]: query[A] rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: reply rbc.ru is 80.68.253.9
Aug  5 14:20:07 dnsmasq[7303]: reply rbc.ru is 185.72.229.9
Aug  5 14:20:07 dnsmasq[7303]: query[AAAA] rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: query[A] www.rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded www.rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: reply www.rbc.ru is 185.72.229.11
Aug  5 14:20:07 dnsmasq[7303]: reply www.rbc.ru is 80.68.253.11
Aug  5 14:20:07 dnsmasq[7303]: query[A] www.rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded www.rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: reply rbc.ru is NODATA-IPv6
Aug  5 14:20:07 dnsmasq[7303]: reply www.rbc.ru is 185.72.229.11
Aug  5 14:20:07 dnsmasq[7303]: reply www.rbc.ru is 80.68.253.11
Aug  5 14:20:07 dnsmasq[7303]: query[AAAA] www.rbc.ru from 192.168.1.2
Aug  5 14:20:07 dnsmasq[7303]: forwarded www.rbc.ru to 127.0.0.2
Aug  5 14:20:07 dnsmasq[7303]: reply www.rbc.ru is NODATA-IPv6

...

Aug  5 14:28:39 dnsmasq[7303]: query[A] mail.radar.imgsmail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded mail.radar.imgsmail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] img.imgsmail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded img.imgsmail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] mc.yandex.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: /opt/tmp/mvps_block.host mc.yandex.ru is 0.0.0.0
Aug  5 14:28:39 dnsmasq[7303]: query[A] portal.mail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded portal.mail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] limg.imgsmail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded limg.imgsmail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] r.mradx.net from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded r.mradx.net to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] filin.mail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded filin.mail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: reply mail.radar.imgsmail.ru is <CNAME>
Aug  5 14:28:39 dnsmasq[7303]: reply common.radar.imgsmail.ru is 185.5.137.179
Aug  5 14:28:39 dnsmasq[7303]: reply img.imgsmail.ru is 217.69.139.101
Aug  5 14:28:39 dnsmasq[7303]: reply portal.mail.ru is 217.69.139.59
Aug  5 14:28:39 dnsmasq[7303]: reply portal.mail.ru is 94.100.180.59
Aug  5 14:28:39 dnsmasq[7303]: reply portal.mail.ru is 217.69.139.58
Aug  5 14:28:39 dnsmasq[7303]: reply limg.imgsmail.ru is 217.69.139.209
Aug  5 14:28:39 dnsmasq[7303]: reply limg.imgsmail.ru is 94.100.180.211
Aug  5 14:28:39 dnsmasq[7303]: reply limg.imgsmail.ru is 217.69.139.211
Aug  5 14:28:39 dnsmasq[7303]: reply limg.imgsmail.ru is 94.100.180.209
Aug  5 14:28:39 dnsmasq[7303]: reply r.mradx.net is 217.69.139.244
Aug  5 14:28:39 dnsmasq[7303]: query[A] pass.yandex.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded pass.yandex.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: reply filin.mail.ru is 185.5.136.33
Aug  5 14:28:39 dnsmasq[7303]: reply pass.yandex.ru is 213.180.204.51
Aug  5 14:28:39 dnsmasq[7303]: query[A] bar.love.mail.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded bar.love.mail.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] ocsp2.globalsign.com from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded ocsp2.globalsign.com to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: query[A] ok.ru from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded ok.ru to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: reply bar.love.mail.ru is 193.0.170.53
Aug  5 14:28:39 dnsmasq[7303]: reply bar.love.mail.ru is 193.0.170.54
Aug  5 14:28:39 dnsmasq[7303]: reply ocsp2.globalsign.com is <CNAME>
Aug  5 14:28:39 dnsmasq[7303]: reply cdn.globalsigncdn.com is 104.16.24.216
Aug  5 14:28:39 dnsmasq[7303]: reply cdn.globalsigncdn.com is 104.16.28.216
Aug  5 14:28:39 dnsmasq[7303]: reply cdn.globalsigncdn.com is 104.16.25.216
Aug  5 14:28:39 dnsmasq[7303]: reply cdn.globalsigncdn.com is 104.16.26.216
Aug  5 14:28:39 dnsmasq[7303]: reply cdn.globalsigncdn.com is 104.16.27.216
Aug  5 14:28:39 dnsmasq[7303]: reply ok.ru is 5.61.23.11
Aug  5 14:28:39 dnsmasq[7303]: reply ok.ru is 217.20.155.13
Aug  5 14:28:39 dnsmasq[7303]: reply ok.ru is 217.20.156.167
Aug  5 14:28:39 dnsmasq[7303]: query[A] clients1.google.com from 192.168.1.2
Aug  5 14:28:39 dnsmasq[7303]: forwarded clients1.google.com to 127.0.0.2
Aug  5 14:28:39 dnsmasq[7303]: reply clients1.google.com is <CNAME>
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.78
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.69
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.72
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.66
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.65
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.70
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.73
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.64
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.71
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.68
Aug  5 14:28:39 dnsmasq[7303]: reply clients.l.google.com is 173.194.44.67

Выяснился еще один баг или точнее не баг, а то как настроена система. Клиент ping на адрес из /opt/tmp/malwaredom_block.host - "0.0.0.0  www.w......o.com" на клиенте все нормально, но если выполнять локально на роутере, то получаем

Скрытый текст

1.

с клиента если "ping www.w......o.com" имеем

Aug  6 12:01:00 dnsmasq[24293]: query[A] www.w......o.com from 192.168.1.2
Aug  6 12:01:00 dnsmasq[24293]: /opt/tmp/malwaredom_block.host www.wigglewoo.com is 0.0.0.0

или если ping 0.0.0.0 то сбой передачи


2. с роутера

/opt/etc/init.d # ping www.w......o.com
PING www.wigglewoo.com (85.13.149.245): 56 data bytes
64 bytes from 85.13.149.245: seq=0 ttl=59 time=64.597 ms
^C
--- www.w......o.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 64.597/64.597/64.597 ms
/opt/etc/init.d # ping 0.0.0.0
PING 0.0.0.0 (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.434 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.363 ms
^C
--- 0.0.0.0 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.363/0.398/0.434 ms
/opt/etc/init.d #

 

Решение проблемы настройка более правельнее ниже

Скрытый текст

DNSmasq

no-resolv
interface=br0
bind-interfaces
listen-address=192.168.1.100
except-interface=lo
server=127.0.0.2#60053
addn-hosts=/opt/tmp/hosts0
addn-hosts=/opt/tmp/malwaredom_block.host
addn-hosts=/opt/tmp/mvps_block.host
cache-size=0

Теперь все правельно.

Скрытый текст

из списка malwaredom_block

/opt/etc/init.d #
/opt/etc/init.d # ping yo.......com
PING youtuhe.com (34.196.13.28): 56 data bytes
^C
--- yo.......com ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
/opt/etc/init.d # netstat -tulap | grep dns
tcp        0      0 192.168.1.100:domain  0.0.0.0:*               LISTEN      27271/dnsmasq
tcp        0      0 127.0.0.2:60053         0.0.0.0:*               LISTEN      24266/dnscrypt-prox
tcp        0      0 fe80::......a8:domain :::*                    LISTEN      27271/dnsmasq
udp        0      0 127.0.0.2:60053         0.0.0.0:*                           24266/dnscrypt-prox
udp        0      0 192.168.1.100:domain  0.0.0.0:*                           27271/dnsmasq
udp        0      0 0.0.0.0:35326           0.0.0.0:*                           24266/dnscrypt-prox
udp        0      0 fe80::.....a8:domain :::*                                27271/dnsmasq
/opt/etc/init.d #

Текущий конфиг для DNSmasq более оптимальный для работы, вопрос открытый только по какому варианту работает ПРОШИВКА если ей нужно обратиться по мнемонике - тут два варианта "localhost:domain" или по интерфейсу "br0:domain"

Edited by vasek00
  • Thanks 1
Link to comment
Share on other sites

Скрытый текст

Sat Aug  5 14:18:35 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5

...

Sun Aug  6 12:42:21 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Sun Aug  6 13:16:38 2017 [NOTICE] Stopping proxy
Sun Aug  6 13:16:38 2017 [INFO] UDP listener shut down
Sun Aug  6 13:16:38 2017 [INFO] TCP listener shut down
Sun Aug  6 13:17:39 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5
Sun Aug  6 13:17:40 2017 [INFO] Generating a new session key pair

...

Sun Aug  6 13:17:40 2017 [NOTICE] Proxying from 127.0.0.2:65053 to 208.67.220.220:443
Sun Aug  6 13:55:42 2017 [NOTICE] Stopping proxy
Sun Aug  6 13:55:42 2017 [INFO] UDP listener shut down
Sun Aug  6 13:55:42 2017 [INFO] TCP listener shut down
Sun Aug  6 13:56:49 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5
Sun Aug  6 13:56:49 2017 [INFO] Generating a new session key pair
Sun Aug  6 13:56:49 2017 [INFO] Done

... все хорошо до

Mon Aug  7 09:10:04 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Mon Aug  7 09:28:26 2017 [DEBUG] resolver timeout (UDP)
Mon Aug  7 09:28:29 2017 [DEBUG] resolver timeout (UDP)
Mon Aug  7 10:11:14 2017 [INFO] Refetching server certificates

... опять хорошо до

Wed Aug  9 07:49:20 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Wed Aug  9 08:39:53 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:39:54 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:39:55 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:39:57 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:40:01 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:40:06 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 08:41:34 2017 [NOTICE] Stopping proxy
Wed Aug  9 08:41:34 2017 [INFO] UDP listener shut down
Wed Aug  9 08:41:34 2017 [INFO] TCP listener shut down
Wed Aug  9 08:42:37 2017 [NOTICE] Starting dnscrypt-proxy 1.9.5
Wed Aug  9 08:42:37 2017 [INFO] Generating a new session key pair
Wed Aug  9 08:42:37 2017 [INFO] Done

... хорошо до

Wed Aug  9 16:49:03 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Wed Aug  9 17:46:57 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:46:57 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:46:58 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:46:58 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:46:59 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:46:59 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:48:21 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:06 2017 [INFO] Refetching server certificates
Wed Aug  9 17:49:06 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:06 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:07 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:07 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:07 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:09 2017 [DEBUG] resolver timeout (UDP)
Wed Aug  9 17:49:11 2017 [INFO] Server certificate with serial #1493333338 received
Wed Aug  9 17:49:11 2017 [INFO] This certificate is valid

...

... хорошо до сегодня 100817 12:00

Смотрю дальше, проблем пока не видно, если не смотреть данный лог от dnscrypt-proxy то все ОК. Сервер пока один cisco протокл UDP.

Edited by vasek00
  • Thanks 1
Link to comment
Share on other sites

Скрытый текст

dnscrypt-proxy

Thu Aug 10 15:41:19 2017 [DEBUG] resolver timeout (UDP)
Thu Aug 10 15:59:33 2017 [INFO] Refetching server certificates

....

Fri Aug 11 14:06:18 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Fri Aug 11 14:09:58 2017 [DEBUG] resolver timeout (UDP)
Fri Aug 11 14:10:07 2017 [DEBUG] resolver timeout (UDP)
Fri Aug 11 14:10:13 2017 [DEBUG] resolver timeout (UDP)
Fri Aug 11 15:07:41 2017 [INFO] Refetching server certificates

...

Sun Aug 13 09:38:33 2017 [INFO] Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778

За Aug 11 всего один раз, за Aug 12 не разу.

Link to comment
Share on other sites

Словил ошибку, все больше склоняюсь что все таки на роутере что-то забывает соединения, после продолжительного времени без действия клиента (не пользованием браузером минут 40) вчера сменил cisco на dnscrypt-proxy --local-address=127.0.0.2:65053 --daemonize dns-payload-size=1252 -R cypherpunks.ru

dnscrypt-proxy

Tue Aug 15 10:23:57 2017 [INFO] Server key fingerprint is CC02:411D:EA4B:F44D:0E5F:7A18:957B:E8DD:F059:C259:B504:473E:4453:F3BB:CB95:8203
Tue Aug 15 11:23:59 2017 [INFO] Refetching server certificates
Tue Aug 15 11:23:59 2017 [INFO] Server certificate with serial #1493333335 received
Tue Aug 15 11:23:59 2017 [INFO] This certificate is valid
Tue Aug 15 11:23:59 2017 [INFO] Chosen certificate #14933333335 is valid from [2017-05-26] to [2018-05-26]
Tue Aug 15 11:23:59 2017 [INFO] The key rotation period for this server may exceed the recommended value. This is bad for forward secrecy.
Tue Aug 15 11:23:59 2017 [INFO] Server key fingerprint is CC02:411D:EA4B:F44D:0E5F:7A18:957B:E8DD:F059:C259:B504:473E:4453:F3BB:CB95:8203
Tue Aug 15 11:50:20 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:50:20 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:50:20 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:50:21 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:50:21 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:50:21 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:51:21 2017 [DEBUG] resolver timeout (UDP)

По Dnsmasq

Aug 15 11:50:24 dnsmasq[789]: query[A] dns.msftncsi.com from 192.168.130.2
Aug 15 11:50:24 dnsmasq[789]: forwarded dns.msftncsi.com to 127.0.0.2
...
Aug 15 11:50:26 dnsmasq[789]: query[A] avatars.mds.yandex.net from 192.168.130.2
Aug 15 11:50:26 dnsmasq[789]: forwarded avatars.mds.yandex.net to 127.0.0.2
Aug 15 11:50:26 dnsmasq[789]: query[A] yastatic.net from 192.168.130.2
Aug 15 11:50:26 dnsmasq[789]: forwarded yastatic.net to 127.0.0.2
...
Aug 15 11:50:30 dnsmasq[789]: query[A] forum.keenetic.net from 192.168.130.2
Aug 15 11:50:30 dnsmasq[789]: forwarded forum.keenetic.net to 127.0.0.2
Aug 15 11:50:30 dnsmasq[789]: query[A] forum.keenetic.net from 192.168.130.2
Aug 15 11:50:30 dnsmasq[789]: forwarded forum.keenetic.net to 127.0.0.2

сегодня в 11:50 попытка просмотреть страницу которая открылась спустя наверное 1-1,5минуту после повторного нажатия открытия.

Дерганье netfilter.d

Tue Aug 15 11:14:46 MSK 2017
track --- tables = filter
Tue Aug 15 11:57:07 MSK 2017
track --- tables = filter

Log роутера
Aug 15 11:14:46ndm kernel: IPv4 conntrack lan: flushed 1 entries with address 192.168.130.19
Aug 15 11:14:46ndm kernel: SWNAT bind table cleared
Aug 15 11:57:07ndm kernel: SWNAT bind table cleared

 

Link to comment
Share on other sites

С 15.08 с того что выше по логам

Tue Aug 15 11:50:21 2017 [DEBUG] resolver timeout (UDP)
Tue Aug 15 11:51:21 2017 [DEBUG] resolver timeout (UDP)

по 17.08 13:23 тишина - все ОК, 15.08 после этой ошибки в 12:00 вернулся на cisco resolv, до этого был cypherpunks.ru

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...