pi-holeにDNS Over HTTPSの環境を構築してみました。
1.1.1.1 を DNS over HTTPS で試す
https://blog.nic.ad.jp/2018/1742/
以下のサイトの手順で構築できます。
Configuring DNS-Over-HTTPS on Pi-hole
https://docs.pi-hole.net/guides/dns-over-https/
環境
・Raspberry Pi type B
・Raspbian GNU/Linux 10 (buster)
・pi-hole
Pi-hole version is v5.1.2 (Latest: v5.1.2)
AdminLTE version is v5.1.1 (Latest: v5.1.1)
FTL version is v5.2 (Latest: v5.2)
Cloudflared releases Archives
https://dl.equinox.io/cloudflare/cloudflared/stable/archive
- binary download
- プログラムのコピー
- ユーザcloudflaredの作成
- cloudflaredの構成ファイルの作成
- ユーザcloudflaredにOwner変更
- systemd scriptの作成
- 自動起動の設定と起動
- 確認
- pi-holeのDNS設定
armhf architectureのバイナリをダウンロードします。
armhf architecture (32-bit Raspberry Pi)
https://docs.pi-hole.net/guides/dns-over-https/#armhf-architecture-32-bit-raspberry-pi
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
pi@pi-hole:~ $ wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz --2020-11-20 19:09:00-- https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz Resolving bin.equinox.io (bin.equinox.io)... 54.164.152.149, 34.232.108.170, 34.198.20.103, ... Connecting to bin.equinox.io (bin.equinox.io)|54.164.152.149|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 16485266 (16M) [application/octet-stream] Saving to: 'cloudflared-stable-linux-arm.tgz' cloudflared-stable-l 100%[====================>] 15.72M 209KB/s in 1m 54s 2020-11-20 19:10:55 (141 KB/s) - 'cloudflared-stable-linux-arm.tgz' saved [16485266/16485266] pi@pi-hole:~ $ tar -xvzf cloudflared-stable-linux-arm.tgz cloudflared pi@pi-hole:~ $ ls -l cloudflared -rwxr-xr-x 1 pi pi 31768360 Nov 20 01:43 cloudflared |
実行してみましたがSegmentation faultで動作しません。
1 2 |
pi@pi-hole:~ $ ./cloudflared -v Segmentation fault |
調べたら下記のサイトが見つかりました。
DNS over HTTPS – cloudflared has a segmentation fault
https://www.reddit.com/r/pihole/comments/94spyp/dns_over_https_cloudflared_has_a_segmentation/
なんと!
2018.7.2 is the last version that works for me:
https://bin.equinox.io/a/4SUTAEmvqzB/cloudflared-2018.7.2-linux-arm.tar.gz
cloudflared-2018.7.2-linux-arm.tar.gzをダウンロードして実行すると動きました。
1 2 3 4 5 6 7 |
pi@pi-hole:~ $ wget https://bin.equinox.io/a/4SUTAEmvqzB/cloudflared-2018.7.2-linux-arm.tar.gz pi@pi-hole:~ $ tar xvfz cloudflared-2018.7.2-linux-arm.tar.gz cloudflared pi@pi-hole:~ $ ls -l -rwxr-xr-x 1 pi pi 22997640 Jul 14 2018 cloudflared pi@pi-hole:~ $ ./cloudflared -v cloudflared version 2018.7.2 (built 2018-07-13-1701 UTC) |
プログラムを /usr/local/bin にコピーします。
1 |
pi@pi-hole:~ $ sudo cp ./cloudflared /usr/local/bin |
デーモンを実行するためのユーザcloudflaredを作成します。
1 |
pi@pi-hole:~ $ sudo useradd -s /usr/sbin/nologin -r -M cloudflared |
cloudflaredをポート5053で動作させ、cloudflareのDNS 1.1.1.1と1.0.0.1を指定しています。
1 2 3 4 5 |
pi@pi-hole:~ $ sudo vi /etc/default/cloudflared pi@pi-hole:~ $ sudo cat /etc/default/cloudflared # Commandline args for cloudflared, using Cloudflare DNS CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query |
/etc/default/cloudflared, /usr/local/bin/cloudflared のOwner変更します。
1 2 |
pi@pi-hole:~ $ sudo chown cloudflared:cloudflared /etc/default/cloudflared pi@pi-hole:~ $ sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
pi@pi-hole:~ $ sudo vi /etc/systemd/system/cloudflared.service pi@pi-hole:~ $ sudo cat /etc/systemd/system/cloudflared.service [Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
pi@pi-hole:~ $ sudo systemctl enable cloudflared Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service -> /etc/systemd/system/cloudflared.service. pi@pi-hole:~ $ sudo systemctl start cloudflared pi@pi-hole:~ $ sudo systemctl status cloudflared * cloudflared.service - cloudflared DNS over HTTPS proxy Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset Active: active (running) since Fri 2020-11-20 20:50:19 JST; 7s ago Main PID: 1465 (cloudflared) Tasks: 6 (limit: 881) CGroup: /system.slice/cloudflared.service `-1465 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream http Nov 20 20:50:19 pi-hole systemd[1]: Started cloudflared DNS over HTT Nov 20 20:50:20 pi-hole cloudflared[1465]: time="2020-11-20T20:50:20 Nov 20 20:50:20 pi-hole cloudflared[1465]: time="2020-11-20T20:50:20 Nov 20 20:50:20 pi-hole cloudflared[1465]: time="2020-11-20T20:50:20 Nov 20 20:50:20 pi-hole cloudflared[1465]: time="2020-11-20T20:50:20 Nov 20 20:50:20 pi-hole cloudflared[1465]: time="2020-11-20T20:50:20 |
名前解決はできているようです。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
pi@pi-hole:~ $ dig @127.0.0.1 -p 5053 mail.google.com ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> @127.0.0.1 -p 5053 mail.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1713 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 69326a32dbb32d75 (echoed) ;; QUESTION SECTION: ;mail.google.com. IN A ;; ANSWER SECTION: mail.google.com. 46 IN CNAME googlemail.l.google.com. googlemail.l.google.com. 46 IN A 216.58.197.133 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; WHEN: Fri Nov 20 20:34:51 JST 2020 ;; MSG SIZE rcvd: 147 |
本当にDNS Over HTTPSが使われているのかtcpdumpで見てみました。
tcpdumpが無い場合はインストールして下さい。
1 |
pi@pi-hole:~ $ sudo apt install tcpdump |
pi-holeと1.1.1.1(https://one.one.one.one/)の間でhttpsが使われていました。
1 2 3 4 5 6 7 8 |
pi@pi-hole:~ $ sudo tcpdump -i eth0 port 53 or port 443 (snip) 21:19:52.118390 IP 192.168.1.1.58310 > one.one.one.one.https: Flags [P.], seq 37:104, ack 1, win 1002, length 67 21:19:52.118931 IP 192.168.1.1.58310 > one.one.one.one.https: Flags [P.], seq 104:134, ack 1, win 1002, length 30 21:19:52.144803 IP one.one.one.one.https > 192.168.1.1.58310: Flags [.], ack 134, win 67, length 0 21:19:52.145725 IP one.one.one.one.https > 192.168.1.1.58310: Flags [P.], seq 1:205, ack 134, win 67, length 204 21:19:52.145850 IP 192.168.1.1.58310 > one.one.one.one.https: Flags [.], ack 205, win 1001, length 0 (snip) |
ちなみにpi-holeのDNS設定の[save]で前回の直接編集したConditional forwardingの設定が消えたので再設定しました。
pi-holeのアップデートなどでも消える可能性があるので注意しないと。
help
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
pi@pi-hole:~ $ cloudflared -h NAME: cloudflared - Cloudflare reverse tunnelling proxy agent USAGE: cloudflared [global options] command [command options] origin-url VERSION: 2018.7.2 (built 2018-07-13-1701 UTC) DESCRIPTION: A reverse tunnel proxy agent that connects to Cloudflare's infrastructure. Upon connecting, you are assigned a unique subdomain on cftunnel.com. You need to specify a hostname on a zone you control. A DNS record will be created to CNAME your hostname to the unique subdomain on cftunnel.com. Requests made to Cloudflare's servers for your hostname will be proxied through the tunnel to your local webserver. COMMANDS: update Update the agent if a new version exists login Generate a configuration file with your login details hello Run a simple "Hello World" server for testing Argo Tunnel. proxy-dns Run a DNS over HTTPS proxy server. service Manages the Argo Tunnel system service help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --config value Specifies a config file in YAML format. (default: "/etc/cloudflared/config.yml") --autoupdate-freq value Autoupdate frequency. Default is 24h. (default: 24h0m0s) --no-autoupdate Disable periodic check for updates, restarting the server with the new version. (default: false) --no-tls-verify Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. Note: The connection from your machine to Cloudflare's Edge is still encrypted. (default: false) [$NO_TLS_VERIFY] --origincert value Path to the certificate generated for your origin when you run cloudflared login. [$TUNNEL_ORIGIN_CERT] --origin-ca-pool value Path to the CA for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. [$TUNNEL_ORIGIN_CA_POOL] --url URL Connect to the local webserver at URL. (default: "https://localhost:8080") [$TUNNEL_URL] --hostname value Set a hostname on a Cloudflare zone to route traffic through this tunnel. [$TUNNEL_HOSTNAME] --origin-server-name value Hostname on the origin server certificate. [$TUNNEL_ORIGIN_SERVER_NAME] --lb-pool value The name of a (new/existing) load balancing pool to add this origin to. [$TUNNEL_LB_POOL] --metrics value Listen address for metrics reporting. (default: "localhost:") [$TUNNEL_METRICS] --metrics-update-freq value Frequency to update tunnel metrics (default: 5s) [$TUNNEL_METRICS_UPDATE_FREQ] --tag KEY=VALUE Custom tags used to identify this tunnel, in format KEY=VALUE. Multiple tags may be specified [$TUNNEL_TAG] --loglevel value Application logging level {panic, fatal, error, warn, info, debug} (default: "info") [$TUNNEL_LOGLEVEL] --proto-loglevel value Protocol logging level {panic, fatal, error, warn, info, debug} (default: "warn") [$TUNNEL_PROTO_LOGLEVEL] --retries value Maximum number of retries for connection/protocol errors. (default: 5) [$TUNNEL_RETRIES] --hello-world Run Hello World Server (default: false) [$TUNNEL_HELLO_WORLD] --pidfile value Write the application's PID to this file after first successful connection. [$TUNNEL_PIDFILE] --logfile value Save application log to this file for reporting issues. [$TUNNEL_LOGFILE] --proxy-connect-timeout value HTTP proxy timeout for establishing a new connection (default: 30s) --proxy-tls-timeout value HTTP proxy timeout for completing a TLS handshake (default: 10s) --proxy-tcp-keepalive value HTTP proxy TCP keepalive duration (default: 30s) --proxy-no-happy-eyeballs HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback (default: false) --proxy-keepalive-connections value HTTP proxy maximum keepalive connection pool size (default: 100) --proxy-keepalive-timeout value HTTP proxy timeout for closing an idle connection (default: 1m30s) --proxy-dns Run a DNS over HTTPS proxy server. (default: false) [$TUNNEL_DNS] --proxy-dns-port value Listen on given port for the DNS over HTTPS proxy server. (default: 53) [$TUNNEL_DNS_PORT] --proxy-dns-address value Listen address for the DNS over HTTPS proxy server. (default: "localhost") [$TUNNEL_DNS_ADDRESS] --proxy-dns-upstream value Upstream endpoint URL, you can specify multiple endpoints for redundancy. (default: "https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query") [$TUNNEL_DNS_UPSTREAM] --no-chunked-encoding Disables chunked transfer encoding; useful if you are running a WSGI server. (default: false) [$TUNNEL_NO_CHUNKED_ENCODING] --help, -h show help (default: false) --version, -v print the version (default: false) COPYRIGHT: (c) 2020 Cloudflare Inc. Use is subject to the license agreement at https://developers.cloudflare.com/argo-tunnel/licence/ |