Comments (33)
make 的错误没有关系。
- 步骤看上去是对的,你这样 dig 看下:
dig 2.dnscrypt-cert.ntr.cu.cc @192.168.30.128 -p 3762
dig baidu.com @192.168.30.128 -p 3762
- dnscrypt-proxy 的 "Suspicious certificate received" 错误是证书不对。可以重新生成试试。
另外,用 --provider-cert-file=dnscrypt.cert
不用在 dns 商配置 2.dnscrypt-cert 的 txt,大多数也不支持 binary txt data 。
这里也是一份步骤说明:#11 (comment)
from dnscrypt-wrapper.
[root@localhost ~]# dig 2.dnscrypt-cert.ntr.cu.cc @192.168.30.128 -p 3762
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> 2.dnscrypt-cert.ntr.cu.cc @192.168.30.128 -p 3762
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53818
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.dnscrypt-cert.ntr.cu.cc. IN A
;; AUTHORITY SECTION:
ntr.cu.cc. 60 IN SOA beth.ns.cloudflare.com. dns.cloudflare.com. 2016235213 10000 2400 604800 3600
;; Query time: 1200 msec
;; SERVER: 192.168.30.128#3762(192.168.30.128)
;; WHEN: 日 9月 14 19:08:23 CST 2014
;; MSG SIZE rcvd: 116
[root@localhost ~]# dig baidu.com @192.168.30.128 -p 3762
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> baidu.com @192.168.30.128 -p 3762
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38943
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN A
;; ANSWER SECTION:
baidu.com. 107 IN A 220.181.111.86
baidu.com. 107 IN A 123.125.114.144
baidu.com. 107 IN A 220.181.111.85
;; Query time: 83 msec
;; SERVER: 192.168.30.128#3762(192.168.30.128)
;; WHEN: 日 9月 14 19:09:07 CST 2014
;; MSG SIZE rcvd: 86
之前用它dig过别的域名,也是能用作正常解析。
我的域名记录TTL是不是有问题?必须设为1天?
证书经过反复生成,结果都一样。
“用 --provider-cert-file=dnscrypt.cert 不用在 dns 商配置 2.dnscrypt-cert 的 txt”,是否意味2.dnscrypt-cert这条txt记录可以不是不存在的,只要服务端运行参数和客户端的这个参数一致即可?我看到dnscrypt-resolvers.csv里面有些记录好像确实是不存在的。
from dnscrypt-wrapper.
是不用在 dns 服务商配置。用 --provider-cert-file=dnscrypt.cert 后,由 dnscrypt-wrapper 提供解析。
dig txt 2.dnscrypt-cert.ntr.cu.cc @192.168.30.128 -p 3762
这样可以拿到。
from dnscrypt-wrapper.
是的,我重新生成了所有证书密钥,并且更换了域名(为避免DNS缓存),没有在服务商配置,因为是不存在的域名,测试仍得到可疑证书,看来是生成的证书自身的问题。
[root@localhost bin]# ./dnscrypt-wrapper -r 8.8.8.8:53 -a 0.0.0.0:3762 --crypt-secretkey-file=crypt_secret.key --crypt-publickey-file=crypt_public.key --provider-cert-file=dnscrypt.cert --provider-name=2.dnscrypt-cert.garaki.daze -VV
[4683] 14 Sep 19:45:01.623 [info] Crypt public key fingerprint: C628:4FE4:756D:570F:A588:89CE:1854:E177:4CF0:E431:43A7:84C4:B68F:DBD0:4704:F042
[4683] 14 Sep 19:45:22.701 [debug] client to proxy cb
[4683] 14 Sep 19:45:51.535 [debug] client to proxy cb
[4683] 14 Sep 19:45:52.547 [debug] client to proxy cb
[4683] 14 Sep 19:45:55.553 [debug] client to proxy cb
...
[root@localhost ~]# dig txt 2.dnscrypt-cert.garaki.daze @192.168.30.128 -p 3762
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> txt 2.dnscrypt-cert.garaki.daze @192.168.30.128 -p 3762
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33999
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2.dnscrypt-cert.garaki.daze. IN TXT
;; ANSWER SECTION:
2.dnscrypt-cert.garaki.daze. 0 IN TXT "DNSC\000\001\000\000\131\168\150\018J\227\254]HhFe3\156\235\221\236AF\235^V\144E?\145\196\187XF\247\029\031-\246a\2246\014\182\163\001\2511\250Rd\144\161\2248c\241\204\012\030\153\215\139$\249\001\131\168\150\018J\227\254]HhFe3\156\235\221\236AF\235^V\144E?_\145\196\187XF\247\029\031-\246a\2246\014\182\163\001\2511\250Rd\144\161\2248"
;; Query time: 0 msec
;; SERVER: 192.168.30.128#3762(192.168.30.128)
;; WHEN: 日 9月 14 19:45:22 CST 2014
;; MSG SIZE rcvd: 182
[root@localhost ~]# dnscrypt-proxy -a 127.0.0.1:55 --provider-name=2.dnscrypt-cert.garaki.daze -r 192.168.30.128:3762 --provider-key=95E6:645B:9060:E468:5FDD:7383:D0E3:044F:CA52:7DFB:0D94:C909:F0AC:AE9A:831E:66B3
[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
^C
from dnscrypt-wrapper.
你用第三方的服服务看看?https://dnscrypt.eu/
from dnscrypt-wrapper.
[root@localhost ~]# dnscrypt-proxy -a 127.0.0.1:55 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu -r 176.56.237.171:443 --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2014-09-11] to [2015-09-11]
[INFO] Server key fingerprint is 6231:4AFE:4AA3:7E6F:9B8C:DAA6:6F6E:E8A5:F84B:10A8:6DB1:C5CB:D264:77CA:7F03:0D5C
[NOTICE] Proxying from 127.0.0.1:55 to 176.56.237.171:443
第三方服务一切正常,只不过在这里经常不稳定,表现为使用一段时间后会有一段时间无法解析,间歇性抽风,没有深入考究但八成是因为那些服务公开容易被探知容易被干扰吧,在Win客户端和OpenWRT上都会如此,所以才萌生出自行部署服务的想法。
from dnscrypt-wrapper.
https://dnscrypt.eu/ 用的也是 dnscrypt-wrapper,看上去可能是 centos 上编译的 dnscrypt-wrapper 问题。
我只 ubuntu/gentoo/macosx/freebsd 上测试,没 centos 。我有空看看。
你用的 centos 版本多少?
from dnscrypt-wrapper.
CentOS release 6.5 (Final)和CentOS Linux release 7.0.1406 (Core),我试试在Ubuntu的虚拟机上测试一下看看情况如何,至少现在知道步骤没有错误而且不用在服务商设置txt记录做起来简单多了,感谢你。
from dnscrypt-wrapper.
太奇怪,今天在Ubuntu14.04下测试结果依然,看来似乎与系统无关呢。
from dnscrypt-wrapper.
你更新到 master HEAD 代码库重新编译看看。ubuntu 下肯定没有问题,昨天我重新测试过。
On Mon, Sep 15, 2014 at 11:32 PM, gnwzkd [email protected] wrote:
太奇怪,今天在Ubuntu14.04下测试结果依然,看来似乎与系统无关呢。
—
Reply to this email directly or view it on GitHub
#12 (comment)
.
Yecheng Fu (Cofyc)
http://yechengfu.com
from dnscrypt-wrapper.
另外就是注意重建 key/cert 时要把就的证书文件都删除,避免因为文件已存在而不更新。
其次每次更新 provider keypair (--gen-provider-keypair),dnscrypt-proxy 的 --provider-key 也要变。
[ERROR] Suspicious certificate received
这个错误是证书不合法的错误,应该只是哪里参数不对导致的。
你可以把完整的终端截图给文件复制给我看下。
from dnscrypt-wrapper.
用screen将整个过程记录下来了不知可否,http://r.loli.io/fIjEBr.0 ,在一个新创建的虚拟机下完成的。
不知libevent和libsodium的版本是否可能是造成这个现象的原因。
from dnscrypt-wrapper.
好奇怪。。我完全按你的操作,没问题。
你直接使用我生成的文件看看:http://pan.baidu.com/s/1ntwUOcD 。
from dnscrypt-wrapper.
使用你生成的文件可以正常运行,没有再出现任何问题,在那个CentOS的VPS上运行也一切顺利。
但自己生成无论如何都不能通过。
我是不是只能认为,我的人品已突破天际...
from dnscrypt-wrapper.
貌似就是libsodium0.7的问题,今天用1.0在各种环境测试生成证书都没问题了,感谢作者费心。
from dnscrypt-wrapper.
good!
from dnscrypt-wrapper.
@cofyc 你好,我也遇到了这个问题……但我的 libsodium 是 1.0 的……
服务器是 Gentoo ,电脑是 OS X ,然后就算换了 example 文件夹里的证书文件似乎也不灵……
Overlay 是从你那边复制过来然后自己改的 https://github.com/bolasblack/overlay/blob/master/net-misc/dnscrypt-wrapper/dnscrypt-wrapper-0.1.13.ebuild
OSX 上的 dnscrypt-proxy 是用 HomeBrew 装的……
能帮我看一下究竟是哪里出问题了么……
from dnscrypt-wrapper.
报的什么错?
from dnscrypt-wrapper.
和这个 Issue 里的错一样,wapper 的日志里是:
[7910] 13 Nov 01:56:49.368 [info] Crypt public key fingerprint: 6B0D:B3DB:4D8A:9260:7E7C:F24F:A8B1:7425:6F3A:F0CE:2CBE:9895:6CB6:7454:CCA8:3D05
[7911] 13 Nov 01:56:50.519 [debug] client to proxy cb
[7911] 13 Nov 01:58:29.667 [debug] client to proxy cb
[7911] 13 Nov 01:58:56.942 [debug] client to proxy cb
[7911] 13 Nov 01:58:58.023 [debug] client to proxy cb
[7911] 13 Nov 01:59:01.102 [debug] client to proxy cb
proxy 的日志是:
[NOTICE] Starting dnscrypt-proxy 1.4.1
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
[INFO] Refetching server certificates
[ERROR] Suspicious certificate received
[ERROR] No useable certificates found
from dnscrypt-wrapper.
再确认下是不是与 libsodium 1.0 编译的
检查 --provider-key 有没有传对
from dnscrypt-wrapper.
我也用 gentoo,与系统不会有关系。
可以先不用 ebuild 编译,手动编译测试下。
from dnscrypt-wrapper.
是的,应该和系统关系不大
我又检查了一遍 libsodium :
> /etc/dnscrypt-wrapper $ sudo emerge -S libsodium
Password:
Searching...
[ Results for search key : libsodium ]
[ Applications found : 1 ]
* dev-libs/libsodium
Latest version available: 1.0.0
Latest version installed: 1.0.0
Size of files: 1,502 kB
Homepage: https://github.com/jedisct1/libsodium
Description: A portable fork of NaCl, a higher-level cryptographic library
License: ISC
应该没问题,我 OSX 上的配置:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnscrypt-proxy</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/sbin/dnscrypt-proxy</string>
<string>--user=nobody</string>
<!-- <string>\-\-resolver-name=opendns</string> -->
<string>--logfile=/var/log/dnscrypt-proxy.log</string>
<string>--resolver-address=106.187.51.216:5354</string>
<string>--provider-name=2.dnscrypt-cert.vox.com</string>
<string>--provider-key=6B0D:B3DB:4D8A:9260:7E7C:F24F:A8B1:7425:6F3A:F0CE:2CBE:9895:6CB6:7454:CCA8:3D05</string>
</array>
<key>UserName</key>
<string>root</string>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
</dict>
</plist>
我 dnscrypt-wrapper 的配置:
BINARY="/usr/bin/dnscrypt-wrapper"
PIDFILE="/var/run/dnscrypt-wrapper.pid"
LOGFILE="/var/log/dnscrypt-wrapper.log"
# Upstream dns resolver
# RESOLVER_ADDR="8.8.8.8:53"
RESOLVER_ADDR="127.0.0.1:53"
#CRYPT_SECRETKEY_FILE="/etc/dnscrypt-wrapper/crypt_secret.key"
CRYPT_SECRETKEY_FILE="/etc/dnscrypt-wrapper/example/crypt_secret.key"
#CRYPT_PUBLICKEY_FILE="/etc/dnscrypt-wrapper/crypt_public.key"
CRYPT_PUBLICKEY_FILE="/etc/dnscrypt-wrapper/example/crypt_public.key"
# Optional configurations
# Local address to listen on
LISTEN_ADDR="0.0.0.0:5354"
PROVIDER_NAME="2.dnscrypt-cert.vox.com"
#PROVIDER_CERT_FILE="/etc/dnscrypt-wrapper/dnscrypt.cert"
PROVIDER_CERT_FILE="/etc/dnscrypt-wrapper/example/dnscrypt.cert"
VERBOSE="VV"
我觉得应该问题都不大呀……
from dnscrypt-wrapper.
手动编译了一遍,还是没区别……
from dnscrypt-wrapper.
执行是手动执行的吗?你参考下 example/start_*.sh 脚本
from dnscrypt-wrapper.
是手动执行的:/usr/local/bin/dnscrypt-wrapper -r 127.0.0.1:53 --crypt-secretkey-file="/etc/dnscrypt-wrapper/example/crypt_secret.key" --crypt-publickey-file="/etc/dnscrypt-wrapper/example/crypt_public.key" -a "0.0.0.0:5354" --provider-name="2.dnscrypt-cert.vox.com" --provider-cert-file="/etc/dnscrypt-wrapper/example/dnscrypt.cert" -VV
from dnscrypt-wrapper.
dnscrypt-proxy 我也是 homebrew 编译的。
你 git clone dnscrypt-wrapper,编译好后,进 example 分别执行:
./start_wrapper.sh
./start_proxy.sh
dig www.google.com @127.0.0.1 -p 8855
看下。
我的版本:
$ brew info libsodium dnscrypt-proxy | grep stable
libsodium: stable 1.0.0 (bottled), HEAD
dnscrypt-proxy: stable 1.4.1, HEAD
from dnscrypt-wrapper.
……………………………………卧槽,好像是日志里打出来的 public key 不对
我运行了 start_wrapper.sh
后打印出来的日志是这个:
> /etc/dnscrypt-wrapper/example $ sh start_wrapper.sh
[30064] 13 Nov 05:47:38.732 [info] Crypt public key fingerprint: 6B0D:B3DB:4D8A:9260:7E7C:F24F:A8B1:7425:6F3A:F0CE:2CBE:9895:6CB6:7454:CCA8:3D05
但其实真正的 key 应该是在 start_proxy.sh
里的 3686:91DF:DC22:8DBB:67BF:9EF6:5471:C831:B468:E0F8:18D9:6CB1:254E:3BE7:7A88:AB24
如果用了这个 key ,服务就不会报这个错了……但我 Gentoo 上的 libsodium 确实是 1.0.0 的呀……
from dnscrypt-wrapper.
"Crypt public key fingerprint" 这个不是 --provider-key 。
有两种 key,一种是 provider keypair 一种是 crypt keypair,是蛮容易弄混。后面我看下怎么输出好点。
from dnscrypt-wrapper.
原来是这样子……我错了……不好意思……
谢谢你写了这个项目,还这么快的回复我……
from dnscrypt-wrapper.
没事。希望这个项目对你有用。
from dnscrypt-wrapper.
再请问一下这个 provider key 是只有在生成 provider keypiar 的时候才会打印出来吗……如果我忘了我有什么办法再显示出来吗?
from dnscrypt-wrapper.
xxd -u -c 2 -g 2 -ps public.key | tr -s '\n' ':' | sed 's/:$//'
内容在 public.key 里面。
from dnscrypt-wrapper.
啊……原来是这样子……谢谢你……
from dnscrypt-wrapper.
Related Issues (20)
- CLOSE_WAIT HOT 3
- Support for Raspberry Pi / Raspbian? HOT 2
- 请教:在使用dnscrypt-proxy 2.x版本中,如果使用非443端口。 HOT 2
- Log entry "Received a suspicious query from the client" HOT 2
- After success run one or two days, get following error message and not work HOT 5
- Support for xchacha20: no HOT 2
- undefind sodium_bin2base64 HOT 6
- Default expiration days is 1? HOT 2
- [ERROR] Invalid provider key HOT 3
- Suspicious certificate received HOT 1
- 关于创建密钥对时的问题:创建密钥对时一定要使用域名吗?只使用IP是否可以? HOT 2
- dnscrypt-wrapper make pihole random crash?
- How to have each client connect to a different resolver HOT 1
- How to generate TXT record for DNS for protocol version 2? HOT 1
- FreeBSD 12 - No chacha support? HOT 1
- 在客户机器(比如mac上)怎么使用Stamp? HOT 2
- SEGV when passing the same key twice
- Provide a tool/option to verify certificates
- dnscrypt-wrapper --gen-provider-keypair have bug
- Unable to build on aarch64-apple-darwin (Apple Silicon) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnscrypt-wrapper.