daxi20/smartdns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

en: update document.

Browse Source
This commit is contained in:
Nick Peng
2023-03-26 02:02:54 +08:00
parent 5ded52d4c0
commit 149a52584e
18 changed files with 1070 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
en/docs/config/ad-block.md Normal file
View File

@@ -0,0 +1,80 @@
---
hide:
- toc
---
# Ad Blocking
SmartDNS can block ads by returning SOA for the corresponding domain name.
Note: If you're using OpenWrt with LuCI, please refer to OpenWrt's domain blocking configuration method.
## Basic Configuration Method
1. Block ads via `address /domain/#` option, for example:
```shell
address /example.com/#
```
In the `address` option:
* `/domain/` uses a suffix matching algorithm that includes its subdomains;
* `#` alone indicates both IPv4 and IPv6 blocking;
* use `#6` to block IPv6 only;
* use `#4` to block IPv4 only;
* use `-` to unblock this domain.
1. Block IPv6 only:
```shell
address /example.com/#6
```
1. If you want to unblock a particular subdomain:
```shell
address /sub.example.com/-
```
## Using Community SmartDNS Ad-Blocking Lists
The community provides regularly updated ad-blocking list files for SmartDNS. You can directly use these ad-blocking list files, and add them to SmartDNS as an option with `conf-file`. Additionally, you can download and update these files periodically, then restart SmartDNS to take effect.
1. Download the configuration file to the `/etc/smartdns` directory:
```shell
wget https://github.com/privacy-protection-tools/anti-AD/blob/master/anti-ad-smartdns.conf -o /etc/smartdns/anti-ad-smartdns.conf
```
1. Modify the `/etc/smartdns/smartdns.conf` file to include the above configuration file:
```shell
conf-file /etc/smartdns/anti-ad-smartdns.conf
```
## Ad Blocking Lists
| Project | Description | Configuration File |
| -- | -- | --
| [anti-AD](https://anti-ad.net/) | Anti Advertising for smartdns | https://anti-ad.net/anti-ad-for-smartdns.conf |
## Non-SmartDNS List Format
For non-SmartDNS data, simple shell commands can convert it.
### `hosts` Format
The following command converts the `/path/to/hosts/file` file (replace the path with your actual file) to the format supported by SmartDNS:
```shell
cat /path/to/hosts/file | grep -v "^#" | awk '{print "address /"$2"/#"}' > anti-ad-smartdns.conf
```
### `dnsmasq` Format
The dnsmasq format is similar to SmartDNS, but not compatible. You can convert it using the following command:
```shell
cat /path/to/dnsmasq/file | grep address | awk -F= '{print "address "$2"#"}' > anti-ad-smartdns.conf
```

28
en/docs/config/basic-config.md Normal file
View File

@@ -0,0 +1,28 @@
---
hide:
- toc
---
# Basic Configuration
The smartdns configuration options are quite powerful, but as a basic DNS service, only the service port and upstream servers need to be configured. Other parameters can be left as default, which is the best configuration for local home networks.
## Sample Configuration
1. To provide service and accelerate DNS queries, the following configuration can be included in the smartdns.conf file:
```shell
# Listen on port 53
bind [::]:53
# Configure upstream servers
server 8.8.8.8
server 114.114.114.114
server 202.96.128.166:53
server-tls 1.1.1.1
```
In the options:
* `bind` indicates that the service end is opened and the corresponding port is listened to. `:53` binds IPv4 port 53 and `[::]:53` binds IPv6 port 53. The latter also binds IPv4 ports in most systems.
* `server` indicates the upstream server IP address, and the port can be omitted. If secure access to upstream is required, `server-tls`, `server-https` can be used. URI can also be used, such as `server tls://1.1.1.1:853`.
* If `server` is not specified, the system DNS address in the `/etc/resolv.conf` file will be automatically read.

34
en/docs/config/block-ipv6.md Normal file
View File

@@ -0,0 +1,34 @@
---
hide:
- toc
---
# Disable IPV6
Currently, IPV6 has entered thousands of households. However, in some cases, IPV6 addresses need to be disabled. Smartdns supports the following ways to disable IPV6 addresses.
1. Method 1: Completely Disable IPV6
```shell
force-AAAA-SOA yes
```
1. Method 2: Disable IPV6 of Specific Domain Name
```shell
address /example.com/#6
```
## Disable Other Query Requests
Smartdns supports disabling other query requests, and the corresponding parameter is `force-qtype-SOA`.
```shell
force-qtype-SOA 28
```
After force-qtype-SOA parameter is the type of DNS. The specific types can be queried from the IANA Explanation.
## Additional Notes
Smartdns has the ability to automatically detect IPV6 environment. If the network environment does not support IPV6, the IPV6-related optimization functions will be automatically disabled.

29
en/docs/config/bootstrap-dns.md Normal file
View File

@@ -0,0 +1,29 @@
---
hide:
- toc
---
# Bootstrap DNS
For upstream servers of domain names, SmartDNS will use IP address servers for resolution, so BootStrap DNS usually does not need to be configured. However, if special needs arise, BootStrap DNS needs to be specified, which can be configured in the following ways:
1. Method 1: Specify BootStrap DNS for all servers
Use the `-bootstrap-dns` parameter to specify a specific server as the BootStrap DNS.
```shell
server 1.2.3.4 -bootstrap-dns
server dns.server
```
1. Method 2: For specific servers
Use the `nameserver /domain/bootstrap-dns` parameter to specify that a specific domain name uses a specific DNS for resolution.
```shell
# Configure bootstrap DNS
server 1.2.3.4 -group bootstrap-dns
nameserver /dns.server/bootstrap-dns
# This server will use 1.2.3.4 for resolution
server dns.server
```

109
en/docs/config/cache.md Normal file
View File

@@ -0,0 +1,109 @@
---
hide:
- toc
---
# Cache
SmartDNS provides caching capabilities. With caching enabled, it can provide better DNS query requests. The expiration cache feature provided by smartdns will further improve the experience.
## Cache Configuration
SmartDNS can configure the number of caches through `cache-size`. It can also configure whether to persist the cache through `cache-persist` and can specify the cache file storage path through `cache-file`.
```shell
cache-size 32768
cache-persist yes
cache-file /path/to/cache/file
```
Note:
  1. SmartDNS enable cache according to disk space by default.
  1. Cache files will only be saved for next use when processes exited normally.
  1. Cache size `cache-size` usually does not need to be set. SmartDNS will automatically set it based on the system memory situation.
## Cache prefetch
SmartDNS can be set to prefetch cache to avoid cache timeout. After configuring prefetch, SmartDNS will re-query the domain name within 5 seconds before the domain name expires. And sort the popularity of domain names.
```shell
prefetch-domain yes
```
Note:
  1. This feature will cause SmartDNS to consume more CPU.
## Expired cache
Expired cache, also called optimistic cache, specifies that when the TTL of the DNS domain name reaches 0, its result is still stored in the cache, and the cached result is returned to the client next time it queries to avoid waiting for the client. The premise of optimistic caching is that the corresponding IP address of DNS will not change frequently.
The specific principle of optimistic caching can refer to (RFC 8767) (https://www.rfc-editor.org/rfc/rfc8767)
The process for SmartDNS to handle expired cache is as follows:
```mermaid
%%{init: {'theme':'forest'}}%%
sequenceDiagram
participant client as Client
participant smartdns as SmartDNS
participant Server as Upstream DNS server
client->>smartdns: DNS inquiry
smartdns->>smartdns: The domain name is already in the cache, and it has expired.
smartdns->>client: Returns the result of the expired domain with TTL of 3
smartdns->>+Server: Upstream query DNS
Server->>-smartdns: Return the query result
smartdns->>smartdns: Measuring the speed and caching the result
client->>smartdns: Query again after 3 seconds to get the best result.
```
Through the above sequence diagram, it can be seen that when the cache expires, SmartDNS still sends the expired IP address to the client so that the client can quickly connect to the server. The premise of this mechanism is that the server IP address has not changed.
In reality, in most cases, after modifying the domain name IP address, it will not take effect immediately for thousands of households, because the global domain name system may take up to 72 hours to complete the refresh after IP changes domain. Even if the IP address in the expired cache appears to be faulty, SmartDNS returns the TTL of the expired IP to the client only for 3 seconds. After 3 seconds, the client will use the new IP again, which may require refreshing the page and retrying once in the client application. In addition, SmartDNS can set prefetch to avoid this problem as much as possible according to the implementation scenario.
Therefore, it is a good practice to enable expired cache in the main scenario.
## Configuration steps
1. Enable expired cache
```shell
serve-expired yes
```
1. Configure the expired cache timeout
This time indicates how long the expired cache has not been accessed, and it is released from the cache.
```shell
serve-expired-ttl 259200
```
1. Configure the expired cache response TTL
This time indicates the TTL time returned to the client when the domain name TTL in the cache expires, allowing the client to query again after the following TTL time.
```shell
serve-expired-reply-ttl 3
```
1. Expired cache prefetch time
This time indicates how long the expired cache has not been accessed, and initiates prefetch proactively to avoid invalid IPs. After enabling expired cache, the prefetch function will be different from disabling it.
```shell
prefetch-domain yes
serve-expired-prefetch-time 21600
```
## Disable cache for specific domains
1. In some cases, it may be necessary to disable caching for specific domains, such as DDNS. The following configuration can be used to disable it.
```shell
domain-rules /example.com/ -no-cache
```

72
en/docs/config/check-speed-mode.md Normal file
View File

@@ -0,0 +1,72 @@
---
hide:
- toc
---
# Speed Test Mode
SmartDNS can modify the speed test mode and response mode. These two modes affect the performance and results of queries.
| Mode | Parameter | Explanation |
| --- | --- | ---
| Speed test mode | speed-check-mode | SmartDNS speed test mode
| Response mode | response-mode | Result response mode |
## Speed test mode configuration
SmartDNS provides two speed test modes, namely ping and tcp. Smartdns defaults to use three tests. The first one is ping, the second one is tcp on port 80, and the third one is tcp on port 443. The speed test mode can be modified through speed-check-mode.
1. Global speed test mode configuration
```shell
speed-check-mode ping,tcp:80,tcp:443
speed-check-mode tcp:443,ping
speed-check-mode none
```
Options:
* ping indicates using ping mode, tcp:port number indicates using tcp connection to the corresponding port
* none indicates not to perform speed test
* Trigger of speed test options: When three speed test modes are configured, SmartDNS first uses the first one, 200ms later, the second one is used, and 400ms later, the third one is used.
1. Single domain speed test mode configuration
```shell
domain-rule /example.com/ -speed-check-mode ping,tcp:80,tcp:443
```
1. Turn off speed test when querying corresponding ports
```shell
bind [::]:53 -no-speed-check
```
1. Extra
If the domain names that need to be routed are forwarded through forwarding programs, consider turning off the speed test function of the forwarding domain name to avoid the reverse effect caused by inconsistent speed tests and exports, and close the speed test of specific domain names as follows:
```shell
domain-rule /example.com/ -speed-check-mode none
```
## Response mode configuration
SmartDNS supports setting the first request response mode through `response-mode`. These three modes affect the query results and response time, and SmartDNS uses an optimized plan by default, but users can also make modifications as needed. The functions and performance of these three modes are as follows:
| Mode | Configuration | Delay | Result | Explanation |
| --- | --- | --- | --- | ---
| Fastest ping response address mode | first-ping | Moderate | Possibly second best | Fastest upstream DNS query delay + shortest ping delay, best query waiting and linking experience (currently the default)
| Fastest IP address mode | fastest-ip | Long | Best | The IP address with the shortest ping among all queried IP addresses. The longest DNS query time and the shortest IP link. (Previous mode)
| Fastest response DNS mode | fastest-response | Short | Possibly worst | Shortest DNS query waiting time.
For cached data after enabling cache function, the results are best regardless of which method is used, so it is not recommended to disable cache.
## Set return mode for specified domain name
1. In some cases, it may be necessary to set the response mode of a specific domain name to improve the Internet experience. You can configure the following parameters
```shell
domain-rules /example.com/ -r first-ping
domain-rules /example.com/ -response-mode fastest-response
```

18
en/docs/config/cname.md Normal file
View File

@@ -0,0 +1,18 @@
---
hide:
- toc
---
# CNAME Alias Query
In some cases, it is necessary to use the results of the query of domain B for the query of domain A, such as the optimization of the speed of some CDN. At this time, you can use the CNAME alias query function.
## Configuration Steps
1. Use `cname /a.com/b.com` to configure the proxy server
```shell
cname /a.com/b.com
```
In the above example, when querying a.com, the query result of b.com will be used.

22
en/docs/config/dns64.md Normal file
View File

@@ -0,0 +1,22 @@
---
hide:
- toc
---
# DNS64
DNS64 is used to support accessing IPV4 websites in a pure IPV6 network, smartdns also provides support for this, and can use the dns64 parameter to configure the DNS64 server.
## Configuration Steps
1. Use `dns64 ip/mask` to configure the proxy server
```shell
dns64 64:ff9b::/96
```
1. In a pure IPV6 environment, it is recommended to disable the dual stack optimization function.
```shell
dualstack-ip-selection no
```

48
en/docs/config/domain-forwarding.md Normal file
View File

@@ -0,0 +1,48 @@
---
hide:
- toc
---
# DNS Forwarding
SmartDNS can support DNS Forwarding by using specific DNS servers to query specific domain names, such as:
```shell
.home -> 192.168.1.1 # .home domain names are sent to 192.168.1.1 for resolution
.office -> 10.0.0.1 # .office domain names are sent to 10.0.0.1 for resolution
```
Other domain names are resolved using the default mode. The configuration of this forwarding is as follows:
## Configuration Steps
1. Configure the upstream server group and group the upstream server using `-group`
```shell
# Configure upstream server, specify group name with -group, and exclude the server from the default group with -exclude-default-group.
server 192.168.1.1 -group home -exclude-default-group
server 10.0.0.1 -group office -exclude-default-group
server 8.8.8.8
```
1. Configure the server group used for corresponding domain name resolution
```shell
# Upstream server rules, .home domain names use servers in the home group for all queries
nameserver /home/home
# Upstream server rules, .office domain names use servers in the office group for all queries
nameserver /office/office
```
Similarly, home can be replaced with domestic, and office can be replaced with overseas.
## More Abilities
By configuring the above, DNS resolution forward can be realized. If you need to forward according to the requesting port, you can configure the second DNS server, and add the `--group` parameter to the `bind` configuration to specify the forward name.
```shell
bind :7053 -group office
bind :8053 -group home
```
By configuring the above, requests to the 7053 port are all queried using the office group, and requests to the 8053 port are all queried using the home group.

29
en/docs/config/domain-set.md Normal file
View File

@@ -0,0 +1,29 @@
---
hide:
- toc
---
# Usage of Domain Set
To facilitate configuring domain names by collection, the domain set can be specified for configuration with `/domain/`. The specific method is:
1. Use `domain-set` to configure the collection file, such as:
```shell
domain-set -name ad -file /etc/smartdns/ad-list.conf
```
The format of `ad-list.conf` is one domain per line, such as:
```shell
ad.com
site.com
```
2. Use the domain set in the options with `/domain/` configuration. Just set `/domain/` to `/domain-set:[collection name]/`, such as:
```shell
address /domain-set:ad/#
domain-rules /domain-set:ad/ -a #
nameserver /domain-set:ad/server
```

52
en/docs/config/dualstack.md Normal file
View File

@@ -0,0 +1,52 @@
---
hide:
- toc
---
# Dual Stack Selection
Most home users have already had IPV6, IPV4 dual-stack network. Currently, most operating systems will use IPV6 network first. However, in some cases, IPV4 network may be better than IPV6, and in other cases, IPV6 network may be better than IPV4.
SmartDNS provides a dual-stack Selection function, which will automatically perform speed measurement and prioritize the IP address with faster speed for the client operating system to use.
## Configuration Steps
1. Use `dualstack-ip-selection` to enable dual-stack Selection.
```shell
dualstack-ip-selection yes
```
1. If IPV6 is preferred, you can adjust the threshold using `dualstack-ip-selection-threshold`.
```shell
dualstack-ip-selection-threshold 10
```
Note:
1. The unit is ms. The IP address with speed greater than the specified value will be preferred.
1. Allow pure IPV6 addresses.
By default, smartdns always returns IPV4 addresses, because some software does not have the ability to access IPV6. However, if you do need to use a pure IPV6 address, you can allow smartdns to prefer only IPV6.
```shell
dualstack-ip-allow-force-AAAA yes
```
## Special Applications
In some cases, it may be necessary to temporarily disable dual-stack Selection of certain domain names, which can be achieved in the following two ways:
1. Disable Selection of queried domain names on specified ports.
```shell
bind [::]:53 -no-dualstack-selection
```
1. Disable Selection of specific domain names.
```shell
domain-rules /example.com/ -dualstack-ip-selection no
```

296
en/docs/config/forwarding-with-ipset.md Normal file
View File

@@ -0,0 +1,296 @@
---
hide:
- toc
---
# Whitelist dns forwarding request
## Flow process
The functions that need to be implemented for dns forwarding are as follows:
* Internal domain obtains IP by querying internal DNS server, and measures the speed of IP to return the fastest IP address to the client.
* External domain queries from external server, external domain manages IP data through domain list, and the IP data is transparently forwarded through TPROXY.
The corresponding process diagram is as follows:
``` mermaid
%%{init: {'theme':'forest'}}%%
flowchart
style client color:white,fill:#dd5555,stroke:#ee00,stroke-width:2px
style ipset color:white,fill:green,stroke:#ee00,stroke-width:2px
style ipset1 color:white,fill:green,stroke:#ee00,stroke-width:2px
style speed-check color:white,fill:green,stroke:#ee00,stroke-width:2px
client(((Client)))-----> |1. Request|smartdns
smartdns---->|2. Obtain IP|client
client--->|3. Request data using IP|router
subgraph smartdns [SmartDNS&nbsp&nbsp]
server(DNS service)-->|a.Handling namserver rules|rule(domain name rules)
rule-->|b.External domains|public-group(external server group)
rule-->|b.Internal domains|private-group(internal server group)
public-group-->|d. Add IP to IPSet|ipset1(IPSet,NFTSet)
private-group-->|d. Measuring the speed and obtain the fastest IP address|speed-check(Measuring speed)
end
router-->ipset(IPSet,NFTSet)
subgraph router [Routing gateway]
NAT-->|a. Receive data packet|ipset-->|b. Data forwarding|tproxy(TPROXY forwarding service)
end
tproxy----->|VPN|ProxyServer
tproxy----->|SOCKS5|ProxyServer
tproxy----->|HTTP PROXY|ProxyServer
public-group--->|c.Query external domain|public-servers(external DNS server)
private-group--->|c.Query internal domain|private-servers(internal DNS server)
```
1. The client queries the domain name to the SmartDNS server.
1. SmartDNS processes requests.
1. Determine the domain name according to the rules given by namserver.
1. If the domain name is an internal domain name, use the internal domain name server for the query. If the domain name is an external domain name, use the external domain name server for the query.
1. For internal domain names, use the speed measurement function to obtain the fastest IP address.
1. For external domain names, after obtaining the fastest response DNS result, add the IP address to the IPSet/NFTSet.
1. SmartDNS returns the IP address.
1. The client obtains the IP address from SmartDNS.
1. The client requests data using the IP address through the gateway.
1. The gateway receives the data packet and judges the IP rule using IPSet/NFTSet.
1. If the IP is in the IPSet/NFTSet (external domain name), use TPROXY to send the data to the remote proxy server.
1. If IP does not exist in IPSet/NFTSet (internal domain name), it is directly forwarded by NAT.
## SmartDNS forward configuration
In the above process diagram, SmartDNS forward data needs to be set as follows
* The internal domain obtains IP by querying the internal DNS server, and measures the speed of IP to return the fastest IP address to the client.
* The external domain queries from the external server, does not measure the speed, and adds the IP address to the IPSet/NFTSet for data forwarding.
1. Basic configuration
Enable the SmartDNS service and set the relevant functions.
```shell
# Enable the server
bind [::]:53
# Enable speed measurement
speed-check-mode ping,tcp:80,tcp:443
# Enable dual stack optimization
dualstack-ip-selection yes
# Enable caching and persistence
cache-size 32768
cache-persist yes
prefetch-domain yes
serve-expired yes
```
1. Add DNS server
Add upstream server and specify internal and external server groups with `-group` parameter.
```shell
# External server group
server 1.2.3.4 -group public
# Internal server group
server 1.2.3.4 -group private
```
Note:
1. It is recommended to configure multiple external and internal servers.
2. The `public` external server group can choose to configure the `-exclude-default-group` parameter to avoid internal domain name queries through external servers.
3. The `public` external server group can use the `proxy-server` option to configure query through socks5, http proxy, so that the results will be better.
1. Configure domain name policy
Configure blacklist domain names, use the `public` server group for domain names in the list, turn off speed measurement, turn off IPV6, and join IPSET.
```shell
# Add domain name list, format one domain name per line
domain-set -name public-domain-list -file /path/to/public/domain/list
# Set the corresponding domain name list rules.
domain-rules /domain-set:public-domain-list/ -ipset public -nftset #4:ip#table#set -c none -address #6 -nameserver public
```
Note:
1. The domain name list can be configured to automatically update at fixed intervals using crontab, and the format is one domain name per line.
```shell
a.com
b.com
...
```
1. In domain name rules:
1. -ipset represents adding results to the corresponding ipset name, `public` is an example, and can be modified to the corresponding ipset name as needed.
2. -nftset represents adding the result to the corresponding nftset name, `#4:ip#table#set` is an example and needs to be modified to the corresponding ipset name.
3. -c none: Disables speed measurement, and specific parameters refer to speed-check-mode.
4. -address #6: Disables IPV6. If the forwarding program supports IPV6, this parameter can be omitted.
5. -nameserver public: Indicates using the DNS server of the public group to resolve the results.
## IPSET and transparent forwarding rule configuration
To cooperate with smartdns to complete the forwarding of external requests, it is necessary to configure related ipset and rules. The specific configuration steps are as follows:
1. Create IPSet
Execute a shell command to create IPSET.
```shell
# Create ipset collection
ipset create public hash:net
```
1. Configure rules in SmartDNS.
```shell
ipset /example.com/public
```
1. Set up transparent forwarding rules:
Transparent forwarding in Linux is divided into TPROXY and REDIRECT two modes. These two modes have the following differences in use and can be selected for configuration as needed.
Mode: TPROXY, REDIRECT
TPROXY: Supports UDP, TCP forwarding, slightly complicated configuration.
REDIRECT: Only supports TCP and configurations are simple.
1. Approach One: TCP forwarding only (easy)
* Set rules
```shell
# Set forwarding rules to redirect matching requests to port 1081 on the local machine
iptables -t nat -I PREROUTING -p tcp -m set --match-set public dst -j REDIRECT --to-ports 1081
```
* Enable forwarding program
The local 1081 port opens the forwarding program in REDIRECT mode.
* Delete rules
```shell
iptables -t nat -D PREROUTING -p tcp -m set --match-set public dst -j REDIRECT --to-ports 1081
```
1. Approach Two: TCP/UDP TPROXY forwarding
Execute a shell command to set the iptable rules to transparently forward TCP/UDP requests that match the domain name, according to the TPROXY method, to the local machine's port 1081, reference rules are as follows:
* Set rules
```shell
# Set routing rules
ip rule add fwmark 1104 lookup 1104
ip route add local 0.0.0.0/0 dev lo table 1104
# Set TPROXY forwarding rules for UDP and TCP modes, and forward the data to port 1081 on the local machine
iptables -t mangle -N SMARTDNS
iptables -t mangle -A SMARTDNS -p tcp -m set --match-set public dst -j TPROXY --on-ip 127.0.0.1 --on-port 1081 --tproxy-mark 1104
iptables -t mangle -A SMARTDNS -p udp -m set --match-set public dst -j TPROXY --on-ip 127.0.0.1 --on-port 1081 --tproxy-mark 1104
iptables -t mangle -A SMARTDNS -j ACCEPT
iptables -t mangle -A PREROUTING -j SMARTDNS
```
* Enable forwarding program
The local 1081 port opens the forwarding
* Deletion rules:
```shell
ip rule del fwmark 1104
iptables -t mangle -D PREROUTING -j SMARTDNS
iptables -t mangle -F SMARTDNS
iptables -t mangle -X SMARTDNS
```
## NFTSET and transparent forwarding rule configuration
1. Method 1: TCP forwarding only (easier)
1. Create nftable's nftset collection, collection name is `#4:ip#nat:public_set`
```shell
nft add set ip nat public_set { type ipv4_addr\; flags interval\; auto-merge\; }
```
1. Set REDIRECT forwarding rule
```shell
nft add rule ip nat PREROUTING meta l4proto tcp ip daddr @public_set redirect to :1081
```
1. Configure nftable rules in smartdns
```shell
nftset /example.com/#4:ip:nat:public_set
```
1. Enable forwarding program
Redirect mode forwarding program on local port 1081.
1. Note that you can create a separate forwarding table for easy management as follows. Create smartdns table, name the nftset `#4:ip#smartdns#public`
```shell
# Create smartdns table
nft add table ip smartdns
# Create NFTSET collection
nft add set ip smartdns public { type ipv4_addr\; flags interval\; auto-merge\; }
# Set forwarding rule
nft add chain ip smartdns prerouting { type nat hook prerouting priority dstnat + 1\; }
nft add rule ip smartdns prerouting meta l4proto tcp ip daddr @public redirect to :1081
```
```shell
# Delete table
nft delete table ip smartdns
```
1. Method 2: TPROXY mode forwarding TCP and UDP
1. Configure rules
```shell
# Set routing rules
ip rule add fwmark 1104 lookup 1104
ip route add local 0.0.0.0/0 dev lo table 1104
# Create smartdns table
nft add table ip smartdns
# Create NFTSET collection
nft add set ip smartdns public { type ipv4_addr\; flags interval\; auto-merge\; }
# Set forwarding rule
nft add chain ip smartdns prerouting { type filter hook prerouting priority 0\; }
nft add rule ip smartdns prerouting meta l4proto tcp ip daddr @public tproxy to :1081 mark set 1104
nft add rule ip smartdns prerouting meta l4proto udp ip daddr @public tproxy to :1081 mark set 1104
```
```shell
# View rules
nft list table ip smartdns
```
```shell
# Delete existing rules
nft delete table ip smartdns
```
1. Configure nftset in smartdns
```shell
nftset /example.com/#4:ip#smartdns:public
```
1. Enable forwarding program
TPROXY mode forwarding program on local port 1081.
## Additional instructions
If using the OpenWrt luci interface, domain routing rules can be configured directly in the interface.

73
en/docs/config/ipset-nftset.md Normal file
View File

@@ -0,0 +1,73 @@
---
hide:
- toc
---
# Use ipset and nftset
Like Dnsmasq, smartdns supports ipset and nftset, which can use TPROXY to transparently forward specific domain names. The comparison of transparent forwarding tools is as follows:
1. Tools: iptable, nftable
iptable: A mature routing rule configuration tool.
nftable: A more powerful rule configuration tool that is becoming mainstream.
## ipset configuration
1. Basic configuration
The following parameters can be used to configure IPSet rules for specified domain names.
```shell
nftset /domain/[#4:ip#table#set,#6:ipv6#table#setv6]
```
1. Timeout
SmartDNS sets IPSet to support enabling timeout function, which can avoid too many IP addresses in IPSet and reduce gateway performance.
```shell
nftset-timeout yes
```
1. Automatically add to IPSet after speed measurement fails
SmartDNS can add IP addresses that fail the speed measurement to IPSet, and then forward them through related IP rules.
```shell
nftset-no-speed ipsetname
```
1. Debugging
If debugging is needed, nftset's debugging function can be enabled.
```shell
nftset-debug yes
```
## nftset configuration
1. Basic configuration
The following parameters can be used to configure NFTSet rules for specified domain names.
```shell
ipset /domain/ipset
```
1. Timeout
SmartDNS sets IPSet to support enabling timeout function, which can avoid too many IP addresses in NFTSet and reduce gateway performance.
```shell
ipset-timeout yes
```
1. Automatically add to IPSet after speed measurement fails
SmartDNS can add IP addresses that fail the speed measurement to IPSet, and then forward them through related IP rules.
```shell
ipset-no-speed ipsetname
```

24
en/docs/config/proxy.md Normal file
View File

@@ -0,0 +1,24 @@
---
hide:
- toc
---
# Query through Proxy
Smartdns supports querying through proxy servers, including socks5 and http proxy servers. Socks5 supports both udp and tcp types of proxies, while http does not support udp proxies. Please note the difference.
## Configuration Steps
1. Use `proxy-server` to configure the proxy server.
```shell
proxy-server socks5://1.2.3.4 -name socks5
```
1. Use the `-proxy` parameter to configure the server to use the proxy server:
```shell
server 8.8.8.8 -proxy socks5
```
Note that the `-name` for `proxy-server` and the `-proxy` for server must have the same name.

19
en/docs/config/resolv-dnsmasq-lease.md Normal file
View File

@@ -0,0 +1,19 @@
---
hide:
- toc
---
# Parsing Local Hostnames
SmartDNS can support the resolution of local hostname->IP address by cooperating with DNSMASQ dhcp lease file. SmartDNS can be configured to read the lease file of dnsmasq and support resolution. The specific configuration parameters are as follows
(Note that DNSMASQ lease files may vary from system to system and need to be configured according to actual conditions)
```shell
dnsmasq-lease-file /var/lib/misc/dnsmasq.leases
```
After the configuration is completed, you can directly connect to the corresponding machine using the hostname. However, it should be noted that:
1. The Windows system defaults to using mDNS to resolve addresses. If you need to use smartdns for resolution under Windows, you need to add `.` after the hostname to indicate the use of DNS resolution, such as `ping smartdns.`
1. SmartDNS will monitor file changes periodically and automatically load mapping relationships that have changed.

40
en/docs/config/security.md Normal file
View File

@@ -0,0 +1,40 @@
---
hide:
- toc
---
# Security Related
smartdns is a DNS server that is bound to port 53 by default. Running smartdns in root permissions may lead to external data queries. Therefore, we can improve the security of smartdns as follows:
## Run as non-root user
Specify a non-root user to run, such as running as nobody
```shell
user nobody
```
## Bind to a specific IP or NIC
Specify the IP address or NIC to bind to via the `bind` parameter
1. Bind to a specific IP
```shell
bind 192.168.1.1:53
```
1. Bind to a specific NIC
```shell
bind [::]:53@eth0
```
## Use a TLS server to provide queries to the public network
Provide services to outside world through a TLS server
```shell
bind-tls [::]:853@eth0
```

74
en/docs/config/server-config.md Normal file
View File

@@ -0,0 +1,74 @@
---
hide:
- toc
---
# Server Configuration
Currently, smartdns provides three server modes: UDP, TCP, and DOT.
## UDP Server
1. Configure with the `bind` parameter. For example:
```shell
bind 0.0.0.0:53@eth0
bind [::]:53@eth0
bind :53@eth0
```
Options:
* @eth0 indicates that it only provides services on the corresponding NIC.
* [::]:53 indicates that it listens to both IPV6 and IPV4 addresses.
* :53 represents listening to IPV4 addresses.
## TCP Server
1. Configure with the `bind-tcp` parameter. For example:
```shell
bind-tcp 0.0.0.0:53@eth0
bind-tcp [::]:53@eth0
bind-tcp :53@eth0
```
1. Optional, the `tcp-idle-time` parameter controls the TCP idle disconnect time.
```shell
tcp-idle-time 120
```
## DOT Server
1. Configure with the `bind-tcp` parameter. For example:
```shell
bind-tcp 0.0.0.0:53@eth0
bind-tcp [::]:53@eth0
bind-tcp :53@eth0
```
1. Set certificate and key files
```shell
bind-cert-file smartdns-cert.pem
bind-cert-key-file smartdns-key.pem
bind-cert-key-pass pass
```
Options:
* `bind-cert-file`: Specifies the certificate file path.
* `bind-cert-key-file`: Specifies the certificate key file path.
* `bind-cert-key-pass`: Specifies the password for the certificate key file. (Optional)
Note:
If these three parameters are not specified, smartdns will automatically generate a self-signed cert `smartdns-cert.pem` and `smartdns-key.pem` key file in the `/etc/smartdns` directory, with CN as smartdns.
1. Optional, the `tcp-idle-time` parameter controls the TCP idle disconnect time.
```shell
tcp-idle-time 120
```

23
en/mkdocs.yml
View File

@@ -61,6 +61,11 @@ markdown_extensions:
- pymdownx.mark
- pymdownx.smartsymbols
- pymdownx.superfences
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
nav:
@@ -72,6 +77,24 @@ nav:
- ASUS firmware / Merlin firmware: 'install/asus.md'
- EntWare: 'install/entware.md'
- WSL: 'install/wsl.md'
- Configuration Guides:
- Basic Configuration: 'config/basic-config.md'
- Server Configuration: 'config/server-config.md'
- Cache Settings: 'config/cache.md'
- Ad Blocking: 'config/ad-block.md'
- Dual Stack Optimization: 'config/dualstack.md'
- Disable IPV6: 'config/block-ipv6.md'
- Domain Forwarding: 'config/domain-forwarding.md'
- Check Speed Mode: 'config/check-speed-mode.md'
- Security Related: 'config/security.md'
- Resolve Local Hostname: 'config/resolv-dnsmasq-lease.md'
- Bootstrap DNS: 'config/bootstrap-dns.md'
- CNAME Alias Query: 'config/cname.md'
- Domain Set: 'config/domain-set.md'
- IPSet and NFTSet: 'config/ipset-nftset.md'
- Query through Proxy: 'config/proxy.md'
- DNS64: 'config/dns64.md'
- Forwarding with IPSet: 'config/forwarding-with-ipset.md'
- Configurations: 'configuration.md'
- Compile: 'compile.md'
- FAQ: 'faq.md'