遇到报错

为了解决 dns 劫持污染问题,就给 debian 安装 dnscrypt-proxy ,安装完改配置重启后,报错:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ systemctl status dnscrypt-proxy
× dnscrypt-proxy.service - DNSCrypt client proxy
     Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Thu 2024-06-20 10:36:31 CST; 1s ago
   Duration: 22ms
TriggeredBy: ● dnscrypt-proxy.socket
       Docs: https://github.com/DNSCrypt/dnscrypt-proxy/wiki
    Process: 54010 ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml (code=exited, status=255/EXCEPTION)
   Main PID: 54010 (code=exited, status=255/EXCEPTION)
        CPU: 21ms

6月 20 10:36:31 debian12 systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
6月 20 10:36:31 debian12 dnscrypt-proxy[54010]: [2024-06-20 10:36:31] [NOTICE] dnscrypt-proxy 2.0.45
6月 20 10:36:31 debian12 dnscrypt-proxy[54010]: [2024-06-20 10:36:31] [NOTICE] Network connectivity detected
6月 20 10:36:31 debian12 dnscrypt-proxy[54010]: [2024-06-20 10:36:31] [FATAL] listen udp 0.0.0.0:53: bind: permission denied
6月 20 10:36:31 debian12 systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION
6月 20 10:36:31 debian12 systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.

显示“ listen udp 0.0.0.0:53: bind: permission denied ”,检查发现 53 端口被 1/init systemd 占用了:

1
2
3
4
5
6
7
$ netstat -tlunp|grep init
tcp        0      0 127.0.2.1:53            0.0.0.0:*               LISTEN      1/init              
udp        0      0 127.0.2.1:53            0.0.0.0:*                           1/init 
$ lsof -i :53
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd   1 root   47u  IPv4 454880      0t0  TCP 127.0.2.1:domain (LISTEN)
systemd   1 root   48u  IPv4 457853      0t0  UDP 127.0.2.1:domain

刚开始还以为是被 systemd-resolved 、 dnsmasq 等软件占用了,检查发现不是。
注意到“ TriggeredBy: ● dnscrypt-proxy.socket ”,“ systemctl stop dnscrypt-proxy.socket ”可以关闭端口占用,不过重启还失效了。

1
2
3
$ systemctl stop dnscrypt-proxy.socket
$ lsof -i :53
$ netstat -tlunp|grep init

方法1

参考: https://github.com/DNSCrypt/dnscrypt-proxy/issues/1066

可以这样做(之所以有用是因为不会启动 dnscrypt-proxy.socket ,但这样也无法使用 systemctl 设置自动启动了):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -service install
$ dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -service start
$ systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
     Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-06-20 11:01:55 CST; 6s ago
TriggeredBy: ○ dnscrypt-proxy.socket
   Main PID: 54652 (dnscrypt-proxy)
      Tasks: 8 (limit: 9481)
     Memory: 5.0M
        CPU: 4ms
     CGroup: /system.slice/dnscrypt-proxy.service
             └─54652 /usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

6月 20 11:01:55 debian12 systemd[1]: Started dnscrypt-proxy.service - Encrypted/authenticated DNS proxy.
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] dnscrypt-proxy 2.0.45
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] Network connectivity detected
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] Source [public-resolvers] loaded
6月 20 11:01:55 debian12 dnscrypt-proxy[54652]: [2024-06-20 11:01:55] [NOTICE] Firefox workaround initialized

官方方法

参考官方: https://github.com/dnscrypt/dnscrypt-proxy/wiki/Installation-on-Debian-and-Ubuntu

使用套接字

使用套接字的方法,在 /lib/systemd/system/dnscrypt-proxy.socket 文件中配置端口,在 /etc/dnscrypt-proxy/dnscrypt-proxy.toml 中配置 listen_addresses = [] ,然后:

1
2
systemctl enable dnscrypt-proxy
systemctl start dnscrypt-proxy

以上方法对 127.0.0.1:53 有用,但对 0.0.0.0:53 似乎无效。 dnscrypt-proxy.socket 报错:

1
6月 20 15:55:28 debian12 systemd[1]: dnscrypt-proxy.socket: TCP_NODELAY failed: Protocol not available

禁用套接字

官方的禁用套接字的方法:

  1. 禁用 dnscrypt-proxy.socket
1
2
sudo systemctl stop dnscrypt-proxy.socket
sudo systemctl disable dnscrypt-proxy.socket
  1. 配置 /lib/systemd/system/dnscrypt-proxy.service ,删除与 dnscrypt-proxy.socket 的关联(注释了两行)。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[Unit]
Description=DNSCrypt client proxy
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
# Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Install]
# Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
NonBlocking=true
ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

User=_dnscrypt-proxy
CacheDirectory=dnscrypt-proxy
LogsDirectory=dnscrypt-proxy
RuntimeDirectory=dnscrypt-proxy
  1. 官方说还需要配置 /lib/systemd/system/dnscrypt-proxy-resolvconf.service ,删除与 dnscrypt-proxy.socket 的关联,我感觉不需要,也配置不了,这两个本身就是关联的。
  2. 重新载入系统套接字的配置
1
systemctl daemon-reload
  1. 配置 /etc/dnscrypt-proxy/dnscrypt-proxy.toml ,不用管 dnscrypt-proxy.socket 了, 这里 server_names 建议加上 ‘alidns-doh’,国内访问更快更稳定。
  2. 启动
1
systemctl restart dnscrypt-proxy.service
  1. 成功
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ systemctl status dnscrypt-proxy.service
● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
     Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-06-20 16:20:30 CST; 6s ago
TriggeredBy: ○ dnscrypt-proxy.socket
   Main PID: 60103 (dnscrypt-proxy)
      Tasks: 11 (limit: 9481)
     Memory: 12.7M
        CPU: 41ms
     CGroup: /system.slice/dnscrypt-proxy.service
             └─60103 /usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

6月 20 16:20:30 debian12 systemd[1]: Started dnscrypt-proxy.service - Encrypted/authenticated DNS proxy.
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] dnscrypt-proxy 2.0.45
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] Network connectivity detected
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] Now listening to 0.0.0.0:53 [UDP]
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] Now listening to 0.0.0.0:53 [TCP]
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] Source [public-resolvers] loaded
6月 20 16:20:30 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:30] [NOTICE] Firefox workaround initialized
6月 20 16:20:31 debian12 dnscrypt-proxy[60103]: [2024-06-20 16:20:31] [NOTICE] [cloudflare] OK (DoH) - rtt: 151ms

测试

功能正常启动,测试一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ dig raw.githubusercontent.com

; <<>> DiG 9.18.24-1~bpo11+1-Debian <<>> raw.githubusercontent.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41724
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;raw.githubusercontent.com.     IN      A

;; ANSWER SECTION:
raw.githubusercontent.com. 3115 IN      A       185.199.111.133
raw.githubusercontent.com. 3115 IN      A       185.199.109.133
raw.githubusercontent.com. 3115 IN      A       185.199.108.133
raw.githubusercontent.com. 3115 IN      A       185.199.110.133

;; Query time: 444 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jun 20 11:05:30 CST 2024
;; MSG SIZE  rcvd: 118

搞定了。