主页 / ubuntu / 问题 / 1509678
Accepted
boernsen
Asked: 2024-04-06 16:43:58 +0800 CST

使用 systemd 和 DNSOverTLS 时如何解决 DNS 泄漏问题

  • 772

2024 年 10 月 4 日更新:这不是真正的泄漏。请参阅下面 mpboden 接受的答案。

问题:

我在 Kubuntu Desktop 22.04 上连接到外部 wifi,并希望使用 DNSOverTLS 将 DNS 系统范围配置为 9.9.9.9 (quad9)。然而,在 dnsleaktest.com 上我仍然得到不同的 DNS。

我使用 Firefox 进行测试,并将“DNS over HTTPS”设置为“关闭”。

https://on.quad9.net上我得到了预期的结果YES, You ARE using quad9

在 dnsleaktest.com 上,我得到了未执行的结果:

dnsleaktest.com

这是我所做的:

在受影响 wifi 的 NetworkManager 中,我禁用了 IPv6 并将 IPv4 设置为“自动”(仅限地址),并放置一个空列表作为 DNS 服务器。终端中的配置结果为:

$ nmcli device
DEVICE        TYPE      STATE         CONNECTION
wlo1          wifi      connected     TP-LINK_58DE
p2p-dev-wlo1  wifi-p2p  disconnected  --
lo            loopback  unmanaged     --

$ nmcli device show wlo1
GENERAL.DEVICE:                         wlo1
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         xx:xx:xx:xx:xx:xx
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     TP-LINK_58DE
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         192.168.0.112/24
IP4.GATEWAY:                            192.168.0.1
IP4.ROUTE[1]:                           dst = 192.168.0.0/24, nh = 0.0.0.0, mt = 600
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 192.168.0.1, mt = 600
IP4.ROUTE[3]:                           dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP6.GATEWAY:                            --

我这样配置了 /etc/systemd/resolved.conf (只有最后几行是相关的,但为了完整性/错误检查,我提供了完整的文件):

$ cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=yes
DNSOverTLS=yes

sudo systemctl restart systemd-resolved和之后sudo systemctl restart NetworkManager,这是生成的配置(整个输出粘贴在此处):

$ resolvectl status
Global
           Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: foreign
  Current DNS Server: 9.9.9.9#dns.quad9.net
         DNS Servers: 9.9.9.9#dns.quad9.net
Fallback DNS Servers: 9.9.9.9#dns.quad9.net
          DNS Domain: ~.

Link 2 (wlo1)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported

在基本测试中它似乎有效:

$ resolvectl query archlinux.com
archlinux.com: 3.64.163.50                     -- link: wlo1

-- Information acquired via protocol DNS in 1.1292s.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: cache network

$ dig archlinux.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> archlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60948
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;archlinux.com.                 IN      A

;; ANSWER SECTION:
archlinux.com.          7200    IN      A       3.64.163.50

;; Query time: 331 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Apr 06 09:30:08 CEST 2024
;; MSG SIZE  rcvd: 58


$ ss -tuna | grep :853
tcp   TIME-WAIT 0      0           192.168.0.112:48420        9.9.9.9:853
tcp   ESTAB     0      0           192.168.0.112:49032        9.9.9.9:853

剩下的问题是:为什么我在 dnsleaktest.com 上得到不同的 DNS?

我尝试过的一些事情:

cd /etc/
mv resolv.conf resolv.conf-old
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
  • sudo dpkg-reconfigure resolvconf。这导致:

在此输入图像描述

$ ls -la /etc/resolv.conf 
lrwxrwxrwx 1 root root 29 Apr  8 09:10 /etc/resolv.conf -> ../run/resolvconf/resolv.conf

$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

还没有什么帮助。你能帮我解决这个问题吗?

networking

1 个回答

  1. Best Answer

    这似乎不是 DNS 泄漏。

    IP 地址66.185.120.243属于 WoodyNet, Inc. 组织。

    以下是66.185.120.243的 Whois 查询的输出,该输出列在 DNSLeak 测试的输出中:

    #
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#


NetRange:       66.185.112.0 - 66.185.127.255
CIDR:           66.185.112.0/20
NetName:        WOODYN
NetHandle:      NET-66-185-112-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   WoodyNet, Inc. (WOODYN)
RegDate:        2009-03-25
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/66.185.112.0


OrgName:        WoodyNet, Inc.
OrgId:          WOODYN
Address:        2351 Virginia St
City:           Berkeley
StateProv:      CA
PostalCode:     94709-1315
Country:        US
RegDate:        2001-05-16
Updated:        2022-04-28
Ref:            https://rdap.arin.net/registry/entity/WOODYN


OrgTechHandle: SHRES60-ARIN
OrgTechName:   Shrestha, Kabindra 
OrgTechPhone:  +1-415-831-3111 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/SHRES60-ARIN

OrgAbuseHandle: BW1324-ARIN
OrgAbuseName:   Woodcock, Bill 
OrgAbusePhone:  +1-415-831-3103 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://rdap.arin.net/registry/entity/BW1324-ARIN

OrgTechHandle: BW1324-ARIN
OrgTechName:   Woodcock, Bill 
OrgTechPhone:  +1-415-831-3103 
OrgTechEmail:  [email protected]
OrgTechRef:    https://rdap.arin.net/registry/entity/BW1324-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

    根据 SNB 论坛上的这篇文章,WoodyNet 属于 Quad9:

    WoodyNet 是 Quad9。Quad9.net 主页称其正在与 Packet Clearinghouse (pch.net) 合作。

    查看Quad9 的网站,上面写着以下内容:

    Bill Woodcock - 主席 Bill 是 Packet Clearing House 的执行董事,Packet Clearing House 是一个国际非政府组织,负责建设和支持关键的互联网基础设施,包括互联网交换点和域名系统的核心。

    回顾 Whois 信息,Bill Woodcock 被列为 Abuse and Tech 的联系人,电子邮件地址为[email protected],即 Packet Clearing House。

    此外,在Medium 的DNS To The Nines文章中,有以下引用:

    最简单的检查方法是运行在线 DNS 泄漏测试。当您这样做时,您应该看到响应的 ISP 是 WoodyNet。

    如果您想知道为什么会看到 WoodyNet,那是因为 Quad9 就是所谓的任播 DNS,它会自动将查询路由到最近的服务器。虽然 Quad9 在全球 100 多个地点设有服务器,但它并不拥有自己的服务器。相反,Quad9 依赖 Packet Clearing House(存在于 160 多个互联网交换点)为其托管 DNS 服务器。PCH 的执行董事是 Bill Woodcock,又名 Woody。因此,WoodyNet。

    最后,以下内容摘自自称是 Bill Woodcock 本人的Y Combinator上的帖子:

    你好。我是 Bill Woodcock,“woodynet”的同名“woody”。兼 PCH 执行董事和 Quad9 董事会主席。它们是三个独立的公司,存在的原因不同,并且遵循不同的税收法规(PCH 和 Quad9 是公益非营利组织,而 WoodyNet 的存在是为了对应税交易纳税并保持非营利组织的账簿干净) ,但它们的关系非常密切。

    在本例中,您会看到 WoodyNet IP 和 IN-ADDR,因为 WoodyNet 正在向您正在交谈的 Quad9 任播实例提供传输。

    此时,我会联系Quad9 支持人员,以确认这不是 DNS 泄漏,并且服务器是他们的。

    我联系了quad9。他们在其网站上提供了网络提供商/DNS 泄漏测试的链接,其中声明如下:

    Quad9 在我们的全球网络中利用多个网络提供商。运行 DNS 泄漏测试时,预计会看到以下提供商拥有的 IP 地址:

    推荐的 DNS 泄漏测试工具

    dnscheck工具

    WoodyNet (AKA PCH.net)
PCH.net
GSL Networks
i3D
EdgeUno
Equinix Metal (FKA: Packet, Packet.net, or Packethost)
Path.net (Path Network)

    这些组织也列在 Quad9 网站的赞助商页面上:quad9.net/about/sponsors

    如果您想简单地确定是否使用 Quad9,可以访问 on.quad9.net,而不是依赖 DNS 泄漏测试。但是,DNS 泄漏测试可用于确保您专门使用 Quad9,这是确保您的所有 DNS 请求都受到 Quad9 保护所必需的。

    关于您的设置

    默认情况下/etc/resolv.conf是一个符号链接/run/systemd/resolve/stub-resolv.conf。该文件的内容指示127.0.0.53为名称服务器。这是本地缓存存根解析器。

    您可以通过下载Kubuntu 22.04.4 LTS ISO、安装并运行以下命令来验证这一点:

    ls -l /etc/resolv.conf

    输出将是:

    lrwxrwxrwx 1 root root 37 Mar 20  2023 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf

    接下来,resolvconf默认不安装。因此,您或某人必须已在您的系统上安装了此软件包。使用与上面相同的 ISO 并全新安装,which resolvconf在命令行中输入,它将返回,但没有任何输出。resolveconf你没有必要做你想做的事。

    如果您查看 的输出,请注意顶部部分resolvectl status中的以下行:Global

    resolv.conf mode: foreign

    这一行的值告诉您一些信息,即文件/etc/resolv.conf正在使用的模式。有四种不同的处理方式/etc/resolv.conf

    • 模式 1(存根):使用带有搜索域的存根解析器,使用指向 /run/systemd/resolve/stub-resolv.conf 的符号链接 /etc/resolv.conf

    • 模式 2(静态):使用存根解析器,无需搜索域,使用符号链接 /etc/resolv.conf 指向 /usr/lib/systemd/resolv.conf

    • 模式 3(上行链路):使用指向 /run/systemd/resolve/resolv.conf 的符号链接 /etc/resolv.conf 来使用上行链路 DNS 名称服务器

    • 方式4(国外):通过直接编辑/etc/resolv.conf使用静态DNS名称服务器

    从systemd-resolved的手册页中:

    /ETC/RESOLV.CONF         top

       Four modes of handling /etc/resolv.conf (see resolv.conf(5)) are
       supported:

       •   systemd-resolved maintains the
           /run/systemd/resolve/stub-resolv.conf file for compatibility
           with traditional Linux programs. This file lists the
           127.0.0.53 DNS stub (see above) as the only DNS server. It
           also contains a list of search domains that are in use by
           systemd-resolved. The list of search domains is always kept
           up-to-date. Note that /run/systemd/resolve/stub-resolv.conf
           should not be used directly by applications, but only through
           a symlink from /etc/resolv.conf. This file may be symlinked
           from /etc/resolv.conf in order to connect all local clients
           that bypass local DNS APIs to systemd-resolved with correct
           search domains settings. This mode of operation is
           recommended.

       •   A static file /usr/lib/systemd/resolv.conf is provided that
           lists the 127.0.0.53 DNS stub (see above) as only DNS server.
           This file may be symlinked from /etc/resolv.conf in order to
           connect all local clients that bypass local DNS APIs to
           systemd-resolved. This file does not contain any search
           domains.

       •   systemd-resolved maintains the
           /run/systemd/resolve/resolv.conf file for compatibility with
           traditional Linux programs. This file may be symlinked from
           /etc/resolv.conf and is always kept up-to-date, containing
           information about all known DNS servers. Note the file
           format's limitations: it does not know a concept of
           per-interface DNS servers and hence only contains system-wide
           DNS server definitions. Note that
           /run/systemd/resolve/resolv.conf should not be used directly
           by applications, but only through a symlink from
           /etc/resolv.conf. If this mode of operation is used local
           clients that bypass any local DNS API will also bypass
           systemd-resolved and will talk directly to the known DNS
           servers.

       •   Alternatively, /etc/resolv.conf may be managed by other
           packages, in which case systemd-resolved will read it for DNS
           configuration data. In this mode of operation
           systemd-resolved is consumer rather than provider of this
           configuration file.

       Note that the selected mode of operation for this file is
       detected fully automatically, depending on whether
       /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf
       or lists 127.0.0.53 as DNS server.

    因为您已经安装resolvconf,所以该应用程序现在正在管理,这就是该模式在 的输出中/etc/resolv.conf列出的原因。foreignresolvectl status

    当您运行时sudo dpkg-reconfigure resolvconf,输出表明将从/etc/resolv.conf该点创建一个符号链接到/run/resolvconf/resolv.conf。这是默认设置更改的地方。

    在此输入图像描述

    我并不是说这个配置不正确。相反,我只是指出它不是默认设置,并且resolvconf不需要安装。

    • 5

相关问题