在小米miui11以后,国行版本的手机内内置了DNS,即使你指定了DNS,系统仍旧会默认将114.114.114.114和一个ipv6 地址240c::6666加入你的默认DNS中。其后果就是DNS泄露,后果你懂的。具体参加v2ex相关讨论。下面以router os为例,进行防堵:
- router os防火墙命令行中输入,192.168.1.6和fe80::2450:78ff:fe60:45da为内网内DNS解析器地址:
/ip firewall filter add action=drop chain=forward protocol=udp dst-address=!192.168.1.6 dst-port=53 log=no log-prefix="Ban all access to DNS other than 192.168.1.6"
/ipv6 firewall filter add action=drop chain=forward protocol=udp dst-address=!fe80::2450:78ff:fe12:54da/128 dst-port=53 log=no log-prefix="fe80::2450:78ff:fe12:54da"
- 其实更合适的方式是不是drop掉dns请求,而是将请求转发至本地的dns服务器
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.6 to-ports=53 protocol=udp dst-address=!192.168.1.6 in-interface=all-ethernet dst-port=53 log=no log-prefix="Redirect all DNS requests to 192.168.1.6"
/ipv6 firewall nat add chain=dstnat action=dst-nat to-addresses=fe80::2450:78ff:fe60:45da to-ports=53 protocol=udp dst-address=!fe80::2450:78ff:fe60:45da in-interface=all-ethernet dst-port=53 log=no log-prefix="Redirect all DNS requests to fe80::2450:78ff:fe60:45da"
再次打开browserleaks.com,原先的DNS泄露已然不见。
0 条评论