==========================
== Gharib Personal Blog ==
==========================
A Techi Personal Blog

SmartDNS Proxy

smartdns, proxy, sniproxy

SmartDNS

This method is usefule when a service is prohibited in your region/area. Buy a vps a 4$ worth VPS is good enough and it is preferable to use Ubuntu/Debian Images.

  • Install nginx with apt install nginx.
  • Modify the Nginx Config at /etc/nginx/nginx.conf with the following config
worker_processes  auto;
worker_rlimit_nofile 35000;
events {
    worker_connections  15000;
    multi_accept off;
}

http {

     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
     server {
            listen 80 default_server;
            listen [::]:80 default_server;
            resolver 8.8.8.8 ipv6=off;
            location / {
                proxy_pass http://$host$request_uri;
            }
    }

}


stream {
   log_format basic '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';

   access_log /var/log/nginx/access.log basic;
   error_log  /var/log/nginx/error.log error;

   server {
        resolver 1.1.1.1 ipv6=off;
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:443;
    }
}
  • Download src or prebuilt binaries or packages from smartdns
  • Install it with dpkg command or compile src to get the binary file
  • Use the following config. You can also modify anything you want except the ip addres of the server.
# dns server name, default is host name
# server-name, 
# example:
#   server-name smartdns
#

# whether resolv local hostname to ip address
# resolv-hostname yes

# dns server run user
# user [username]
# example: run as nobody
#   user nobody
#

# Include another configuration options, if -group is specified, only include the rules to specified group.
# conf-file [file] [-group group-name]
# conf-file blacklist-ip.conf
# conf-file whitelist-ip.conf -group office
# conf-file *.conf

# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
# bind udp server
#   bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tcp server
#   bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tls server
#   bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
#   bind-cert-key-file [path to file]
#      tls private key file
#   bind-cert-file [path to file]
#      tls cert file
#   bind-cert-key-pass [password]
#      tls private key password
# bind-https server
#   bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# option:
#   -group: set domain request to use the appropriate server group.
#   -no-rule-addr: skip address rule.
#   -no-rule-nameserver: skip nameserver rule.
#   -no-rule-ipset: skip ipset rule or nftset rule.
#   -no-speed-check: do not check speed.
#   -no-cache: skip cache.
#   -no-rule-soa: Skip address SOA(#) rules.
#   -no-dualstack-selection: Disable dualstack ip selection.
#   -no-ip-alias: ignore ip alias.
#   -force-aaaa-soa: force AAAA query return SOA.
#   -force-https-soa: force HTTPS query return SOA.
#   -no-serve-expired: no serve expired.
#   -no-rules: skip all rules.
#   -ipset ipsetname: use ipset rule.
#   -nftset nftsetname: use nftset rule.
# example: 
#  IPV4: 
#    bind :53
#    bind :53@eth0
#    bind :6053 -group office -no-speed-check
#  IPV6:
#    bind [::]:53
#    bind [::]:53@eth0
#    bind-tcp [::]:53
bind <VPS_IPADDRESS>:53

# tcp connection idle timeout
# tcp-idle-time [second]

# dns cache size
# cache-size [number]
#   0: for no cache
#   -1: auto set cache size
# cache-size 32768

# dns cache memory size
# cache-mem-size [size]

# enable persist cache when restart
# cache-persist no

# cache persist file
# cache-file /tmp/smartdns.cache

# cache persist time
# cache-checkpoint-time [second]
# cache-checkpoint-time 86400

# prefetch domain
# prefetch-domain [yes|no]
# prefetch-domain yes

# cache serve expired 
# serve-expired [yes|no]
# serve-expired yes

# cache serve expired TTL
# serve-expired-ttl [num]
# serve-expired-ttl 0

# reply TTL value to use when replying with expired data
# serve-expired-reply-ttl [num]
# serve-expired-reply-ttl 30

# List of hosts that supply bogus NX domain results 
# bogus-nxdomain [ip/subnet]

# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
# blacklist-ip [ip/subnet]

# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
# whitelist-ip [ip/subnet]

# List of IPs that will be ignored
# ignore-ip [ip/subnet]

# alias of IPs
# ip-alias [ip/subnet] [ip1[,ip2]...]
# ip-alias 192.168.0.1/24 10.9.0.1,10.9.0.2

# speed check mode
# speed-check-mode [ping|tcp:port|none|,]
# example:
#   speed-check-mode ping,tcp:80,tcp:443
#   speed-check-mode tcp:443,ping
#   speed-check-mode none

# force AAAA query return SOA
# force-AAAA-SOA [yes|no]

# force specific qtype return soa
# force-qtype-SOA [-,][qtypeid |...]
# force-qtype-SOA [qtypeid|start_id-end_id|,...]
# force-qtype-SOA 65 28 add type 65,28
# force-qtype-SOA 65,28 add type 65,28
# force-qtype-SOA 65-68 add type 65-68
# force-qtype-SOA -,65-68, clear type 65-68
# force-qtype-SOA - clear all type
force-qtype-SOA 65

# Enable IPV4, IPV6 dual stack IP optimization selection strategy
# dualstack-ip-selection-threshold [num] (0~1000)
# dualstack-ip-allow-force-AAAA [yes|no]
# dualstack-ip-selection [yes|no]
# dualstack-ip-selection no

# edns client subnet
# edns-client-subnet [ip/subnet]
# edns-client-subnet 192.168.1.1/24
# edns-client-subnet 8::8/56

# ttl for all resource record
# rr-ttl: ttl for all record
# rr-ttl-min: minimum ttl for resource record
# rr-ttl-max: maximum ttl for resource record
# rr-ttl-reply-max: maximum reply ttl for resource record
# example:
# rr-ttl 300
# rr-ttl-min 60
# rr-ttl-max 86400
# rr-ttl-reply-max 60

# Maximum number of IPs returned to the client|8|number of IPs, 1~16
# example:
# max-reply-ip-num 1

# Maximum number of queries per second|0|number of queries, 0 means no limit.
# example:
# max-query-limit 65535

# response mode
# response-mode [first-ping|fastest-ip|fastest-response]

# set log level
# log-level: [level], level=off, fatal, error, warn, notice, info, debug
# log-file: file path of log file.
# log-console [yes|no]: output log to console.
# log-syslog [yes|no]: output log to syslog.
# log-size: size of each log file, support k,m,g
# log-num: number of logs, 0 means disable log
log-level info

# log-file /var/log/smartdns/smartdns.log
# log-size 128k
# log-num 2
# log-file-mode [mode]: file mode of log file.

# dns audit
# audit-enable [yes|no]: enable or disable audit.
# audit-enable yes
# audit-SOA [yes|no]: enable or disable log soa result.
# audit-size size of each audit file, support k,m,g
# audit-file /var/log/smartdns-audit.log
# audit-console [yes|no]: output audit log to console.
# audit-syslog [yes|no]: output audit log to syslog.
# audit-file-mode [mode]: file mode of audit file.
# audit-size 128k
# audit-num 2

# Support reading dnsmasq dhcp file to resolve local hostname
# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases

# certificate file
# ca-file [file]
# ca-file /etc/ssl/certs/ca-certificates.crt

# certificate path
# ca-path [path]
# ca-path /etc/ssl/certs

# remote udp dns server list
# server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
# default port is 53
#   -blacklist-ip: filter result with blacklist ip
#   -whitelist-ip: filter result with whitelist ip,  result in whitelist-ip will be accepted.
#   -check-edns: result must exist edns RR, or discard result.
#   g|-group [group]: set server to group, use with nameserver /domain/group.
#   e|-exclude-default-group: exclude this server from default group.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   b|-bootstrap-dns: set as bootstrap dns server.
#   -set-mark: set mark on packets.
#   -subnet [ip/subnet]: set edns client subnet.
#   -host-ip [ip]: set dns server host ip.
#   -interface [interface]: set dns server interface.
server 8.8.8.8  -group g1
#server 8.8.8.8 -group g2
# server tls://dns.google:853 
# server https://dns.google/dns-query

# remote tcp dns server list
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
# default port is 53
server-tcp 8.8.8.8 -group g1
#server-tcp 8.8.8.8 -group g2
#server-tcp 18.130.3.145 -group g3
# remote tls dns server list
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   k|-no-check-certificate: no check certificate.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   -bootstrap-dns: set as bootstrap dns server.
# Get SPKI with this command:
#    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# default port is 853
# server-tls 8.8.8.8
# server-tls 1.0.0.1

# remote https dns server list
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -http-host: http host.
#   k|-no-check-certificate: no check certificate.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   -bootstrap-dns: set as bootstrap dns server.
# default port is 443
# server-https https://cloudflare-dns.com/dns-query

# socks5 and http proxy list
# proxy-server URL -name [proxy name]
#   URL: socks5://[username:password@]host:port
#        http://[username:password@]host:port
#   -name: proxy name, use with server -proxy [proxy-name]
# example:
#   proxy-server socks5://alireza:MainHelpAptel45610@127.0.0.1:2059 -name proxy
#proxy-server http://127.0.0.1:6660 -name proxy

# specific nameserver to domain
# nameserver [/domain/][group|-]
# nameserer group, set the domain name to use the appropriate server group.
#nameserver /chatgpt.com/g1, #Set the domain name to use the appropriate server group.
# nameserver /www.example.com/-, ignore this domain

# expand ptr record from address record
# expand-ptr-from-address yes

# specific address to domain
# address [/domain/][ip1,ip2|-|-4|-6|#|#4|#6]
# address #, block all A and AAAA request.
# address #6, block all AAAA request.
# address -6, allow all AAAA request.
#5.202.100.100,5.202.100.101,185.55.226.26,185.55.225.25,78.157.42.100,78.157.42.101,91.107.164.5
# address /www.example.com/1.2.3.4,5.6.7.8, return multiple ip addresses
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

# specific cname to domain
# cname /domain/target

# add srv record, support multiple srv record.
# srv-record /domain/[target][,port][,priority][,weight]
# srv-record /_ldap._tcp.example.com/ldapserver.example.com,389
# srv-record /_ldap._tcp.example.com/

# https-record /domain/[target=][,port=][,priority=][,alph=][,ech=][,ipv4hint=][,ipv6hint=]
# https-record noipv4hint,noipv6hint
# https-record /www.example.com/ipv4hint=192.168.1.2

# enable DNS64 feature
# dns64 [ip/subnet]
# dns64 64:ff9b::/96

# enable ipset timeout by ttl feature
# ipset-timeout [yes]

# specific ipset to domain
# ipset [/domain/][ipsetname|#4:v4setname|#6:v6setname|-|#4:-|#6:-]
# ipset [ipsetname|#4:v4setname|#6:v6setname], set global ipset.
# ipset /www.example.com/block, set ipset with ipset name of block. 
# ipset /www.example.com/-, ignore this domain.
# ipset ipsetname, set global ipset.

# add to ipset when ping is unreachable
# ipset-no-speed ipsetname
# ipset-no-speed pass

# enable nftset timeout by ttl feature
# nftset-timeout [yes|no]
# nftset-timeout yes

# add to nftset when ping is unreachable
# nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6]
# nftset-no-speed #4:ip#table#set

# enable nftset debug, check nftset setting result, output log when error.
# nftset-debug [yes|no]
# nftset-debug yes

# specific nftset to domain
# nftset [/domain/][#4:ip#table#set,#6:ipv6#table#setv6]
# nftset [#4:ip#table#set,#6:ipv6#table#setv6] set global nftset.
# nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }'
# nftset /www.example.com/-, ignore this domain
# nftset /www.example.com/#6:-, ignore ipv6
# nftset #6:ip#table#set, set global nftset.

# set ddns domain
# ddns-domain domain

# lookup local network hostname or ip address from mdns
# mdns-lookup [yes|no]
# mdns-lookup no

# set hosts file
# hosts-file [file]

# set domain rules
# domain-rules /domain/ [-speed-check-mode [...]]
# rules:
#   [-c] -speed-check-mode [mode]: speed check mode
#                             speed-check-mode [ping|tcp:port|none|,]
#   [-a] -address [address|-]: same as address option
#   [-n] -nameserver [group|-]: same as nameserver option
#   [-p] -ipset [ipset|-]: same as ipset option
#   [-t] -nftset [nftset|-]: same as nftset option
#   [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
#   [-g|-group group-name]: set domain-rules to group.
#   -no-serve-expired: ignore expired domain
#   -delete: delete domain rule
#   -no-ip-alias: ignore ip alias
#   -no-cache: ignore cache

# collection of domains 
# the domain-set can be used with /domain/ for address, nameserver, ipset, etc.
# domain-set -name [set-name] -type list -file [/path/to/file]
#   [-n] -name [set name]: domain set name
#   [-t] -type [list]: domain set type, list only now
#   [-f] -file [path/to/set]: file path of domain set
# 
# example:
domain-set -name sanction -type list -file /etc/smartdns/proxy.list
address /domain-set:sanction/<VPS_IP_ADDRESS>
nameserver /domain-set:sanction/g1
# ipset /domain-set:domain-list/ipset
# domain-rules /domain-set:domain-list/ -speed-check-mode ping

# set ip rules
# ip-rules ip-cidrs [-ip-alias [...]]
# rules:
#   [-c] -ip-alias [ip1,ip2]: same as ip-alias option
#   [-a] -whitelist-ip: same as whitelist-ip option
#   [-n] -blacklist-ip: same as blacklist-ip option
#   [-p] -bogus-nxdomain: same as bogus-nxdomain option
#   [-t] -ignore-ip: same as ignore-ip option

# collection of IPs 
# the ip-set can be used with /ip-cidr/ for ip-alias, ignore-ip, etc.
# ip-set -name [set-name] -type list -file [/path/to/file]
#   [-n] -name [set name]: ip set name
#   [-t] -type [list]: ip set type, list only now
#   [-f] -file [path/to/set]: file path of ip set
# 
# example:
# ip-set -name ip-list -file /etc/smartdns/ip-list.conf
# bogus-nxdomain ip-set:ip-list
# ip-alias ip-set:ip-list 1.2.3.4
# ip-alias ip-set:ip-list ip-set:ip-map-list

# set client rules
# client-rules [ip-cidr|mac|ip-set] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# client-rules option is same as bind option, please see bind option for detail.

# set group rules
# group-begin [group-name]
# group-match [-g|group group-name] [-domain domain] [-client-ip [ip-cidr|mac|ip-set]]
# group-end

# load plugin
# plugin [path/to/file] [args]
# plugin /usr/lib/smartdns/libsmartdns-ui.so --p 8080 -i 0.0.0.0 -r /usr/share/smartdns/wwwroot
  • Create a domain list at this location /etc/smartdns/proxy.list and put the actual domain name any slash or https things line by line, each line just one domain. For instance
asfadfad.com
asfdkanskf.net
.
.
.
.
.
  • Everything is ready just power the smartdns and nginx up ! ;)