海运的博客

安装dnsstamps：

apt-get install python3-pip
python3 -m pip install --user dnsstamps
export PATH=$PATH:~/.local/bin/ 

查看使用方法：

dnsstamp.py -h
dnsstamp.py dot -h

cloudflare-dns.com dns over tls构建sdns示例：

dnsstamp.py dot -a 1.1.1.1 -n cloudflare-dns.com -l -f
DoT DNS stamp
=============

DNSSEC: no
No logs: yes
No filter: yes
IP Address: 1.1.1.1
Hostname: cloudflare-dns.com
Hashes: []
Bootstrap IPs: []

sdns://AwYAAAAAAAAABzEuMS4xLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQ

解析sdns：

dnsstamp.py parse sdns://AwYAAAAAAAAABzEuMS4xLjEAEmNsb3VkZmxhcmUtZG5zLmNvbQ

https://github.com/chrisss404/python-dnsstamps

N1盒子可用：

wget https://downloads.openwrt.org/releases/18.06.5/targets/armvirt/64/openwrt-18.06.5-armvirt-64-default-rootfs.tar.gz
docker import openwrt-18.06.5-armvirt-64-default-rootfs.tar.gz openwrt:18.06.5

dnsmasq最新版本2.80增加了指定域名返回空的选项，通过此可以过滤ipv6查询：

#所有com域名禁止ipv6查询
server=/com/8.8.8.8
address=/com/::
#所有域名过滤ipv6查询
server=/#/8.8.8.8
address=/#/::

dnsmasq 2.78版本可使用此patch过滤ipv6 aaaa查询。
https://github.com/flyinprogrammer/dnsmasq-alpine-docker
unbound过滤ipv6见：
https://www.haiyun.me/archives/1303.html

https://discourse.pi-hole.net/t/solved-disable-aaaa-response-for-a-given-domain/13143
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

交叉编译环境配置，使用PandoraBox提供的SDK：

apt install build-essential -y
wget https://downloads.pangubox.com/pandorabox/18.10/targets/ralink/mt7621/PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz
tar xf PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz 
mv PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64 PandoraBox
export STAGING_DIR=/root/PandoraBox/staging_dir/
export PKG_CONFIG_PATH=/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/pkgconfig/
export PATH=$PATH:/root/PandoraBox/staging_dir/toolchain-mipsel_1004kc+dsp_gcc-5.5.0_uClibc-1.0.x/bin/
export CC=mipsel-openwrt-linux-gcc
export RANLIB=mipsel-openwrt-linux-ranlib
export AR=mipsel-openwrt-linux-ar
export LD=mipsel-openwrt-linux-ld

潘多拉SDK自带openssl版本为1.1.0，为使用tls1.3编译安装最新版openssl1.1.1：

wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar zxvf openssl-1.1.1d.tar.gz
 ./config no-asm shared --prefix=/usr/local/openssl-mipsel
sed -i 's/-m64//g' Makefile
make && make install

编译smartdns：

git clone https://github.com/pymumu/smartdns.git
cd smartdns/src/
CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make
#不额外安装openssl，使用sdk自带的openssl
#CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

静态编译包含openssl，修改Makefile：

ifeq ($(STATIC), yes)
LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy -lpthread -ldl -lc -lgcc_eh
#LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy,--whole-archive -lpthread -Wl,--no-whole-archive -ldl -lc -lgcc_eh

静态编译：

STATIC=yes CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make 

如果以非root运行smartdns且使用ping测速，需设置cap_net_raw，不然不能发送icmp ping：

#setcap cap_net_raw+eip /usr/local/bin/smartdns 
#cap_net_bind_service允许非root监听53端口，ipset需要cap_net_admin权限
setcap cap_net_bind_service,cap_net_raw,cap_net_admin=+eip /usr/local/bin/smartdns

或直接使用systemd:

AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW

由于使用静态编译openssl1.1文件较大，不使用tls1.3可使用自带的openssl1.0动态编译：

CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

参考：
https://www.boris1993.com/linux/allow-non-root-process-to-bind-low-numbered-ports.html