01-11-2023 01:12 AM
Usually, when we visit Internet websites, we use domain names to access them. However, DNS is an unreliable stateless protocol that is easily poisoned. To solve this problem, we now propose the following ideas and attach a tutorial.
things to prepare:
An IOS-XE based router as user gateway
A domain name service provider(include Dynamic dns registration service)
An external router on cloud (I used vyos on oracle cloud)
A Digital Signature Certificate
Copy the files I uploaded to bootflash(unzip , *.txt use update-*.sh create)
------basic configuration on router let local client access internet-----
!Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.7, RELEASE SOFTWARE (fc1)
!
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform shell
!
hostname gateway
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
clock timezone GMT 8 0
ip gratuitous-arps
!
ip domain name home.local
ip host esxi1.home.local 192.168.0.10
ip host esxi2.home.local 192.168.0.11
ip host gateway.home.local 192.168.0.254
ip host switch.home.local 192.168.0.2
ip host vcsa.home.local 192.168.0.45
!
ip dhcp excluded-address 192.168.0.1 192.168.0.50
ip dhcp excluded-address 192.168.0.200 192.168.0.254
!
ip dhcp pool pat
host 192.168.0.0 255.255.255.0
dns-server 192.168.0.254
default-router 192.168.0.254
!
login on-success log
!
spanning-tree mode rapid-pvst
!
username cisco privilege 15 password 'yuor password'
!
lldp run
cdp run
!
bridge irb
!
interface GigabitEthernet1
description WAN
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet2
ip address 192.168.0.254 255.255.255.0
ip nat inside
cdp enable
!
interface Dialer1
description WAN
bandwidth 'isp commit upload bandwidth'
ip address negotiated
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp pap sent-username 'your account' password 'your password'
ppp ipcp dns request
ppp ipcp route default
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list pat interface Dialer1 overload
ip dns server
!
ip access-list standard pat
permit 192.168.0.0 0.0.255.255
!
kron occurrence backup at 23:59 recurring system-startup
policy-list backup
!
kron policy-list backup
cli sh run | redirect tftp://'tftp server address'/router.cfg
!
logging trap debugging
logging origin-id hostname
logging host 'logging server address'
!
snmp-server community 'your password' RO
snmp-server location 'your location'
snmp-server contact 'your contact way'
snmp-server enable traps
!
line vty 0 4
access-class pat in
logging synchronous
transport input telnet
line vty 5 15
exec-timeout 30 0
logging synchronous
transport input ssh
!
ntp master 1
ntp server cn.pool.ntp.org
!
end
------sslvpn configuration on router let remote client access resource-----
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
ip ddns update method oray
HTTP
add http://'your account':'your password'@'DNS provider domain'/ph/update?hostname='your domain'&&myip=
interval maximum 0 0 1 0
interval minimum 0 0 1 0
!
interface Dialer1
ip ddns update hostname 'your dns domain name'
ip ddns update 'dns provider name' host 'dns provider domain name'
!
crypto pki import VPN pkcs12 bootflash:'Digital Signature Certificate(.pfx)'.pfx password 'your password'
!
ip local pool sslvpn 192.168.0.200 192.168.0.253
!
crypto ssl proposal sslvpn-proposal
protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!
crypto ssl authorization policy sslvpn-auth-policy
pool sslvpn
banner 'your banner'
def-domain home.local
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint VPN sign
ip interface Dialer1 port 'custom port'
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
aaa accounting user-pass list sslvpn
authentication remote user-pass
max-users 100
!
ip http secure-trustpoint VPN
------overlay configuration on router establish bgp peer with external router-----
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 14
crypto isakmp key 'your password' address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PR
set transform-set TS
!
interface Tunnel0
description this is a hub
bandwidth 'isp commit upload bandwidth'
ip address 192.168.255.2 255.255.255.240
no ip redirects
ip mtu 1400
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1300
cdp enable
tunnel source Dialer1
tunnel mode gre multipoint
tunnel protection ipsec profile PR
!
route-map vyos permit 10
set community no-advertise
!
router bgp 64512
template peer-policy VPN
route-reflector-client
soft-reconfiguration inbound
send-community both
exit-peer-policy
!
template peer-session VPN
remote-as 64512
update-source Tunnel0
exit-peer-session
!
bgp router-id 192.168.255.2
bgp cluster-id 192.168.255.2
bgp log-neighbor-changes
bgp graceful-restart
neighbor 192.168.255.5 inherit peer-session VPN
!
address-family ipv4
network 192.168.0.0
neighbor 192.168.255.5 activate
neighbor 192.168.255.5 inherit peer-policy VPN
neighbor 192.168.255.5 route-map vyos in
exit-address-family
!
------check dmvpn and bgp peer (update non-nation prefix)-----
gateway#show dmvpn
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 111.197.207.228 192.168.255.1 UP 1d17h D
1 129.159.34.241 192.168.255.5 UP 04:30:35 DN
==========================================================================
gateway#show bgp ipv4 unicast summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.255.1 4 64512 2773 2782 4813 0 0 1d17h 2
192.168.255.5 4 64512 274 304 4813 0 0 04:30:45 945
------create a guestshell-----
interface VirtualPortGroup0
bandwidth 1000000
ip unnumbered GigabitEthernet2
ip nat inside
!
ip route 192.168.0.15 255.255.255.255 VirtualPortGroup0
!
app-hosting appid guestshell
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.0.15 netmask 255.255.255.0
app-default-gateway 192.168.0.254 guest-interface 0
name-server0 8.8.8.8
!
end
!
guestshell enable
!
------run guestshell command to create dns server-----
guestshell run sudo yum -y install bind-utils nano tree perl
guestshell run sudo mkdir -p /etc/chinadns
guestshell run sudo cp -rf /bootflash/chinadns /etc/chinadns/
guestshell run sudo cp -rf /bootflash/chinadns.json /etc/chinadns/
guestshell run sudo cp -rf /bootflash/update-gfwlist.sh /etc/chinadns/
guestshell run sudo cp -rf /bootflash/update-chnroute.sh /etc/chinadns/
guestshell run sudo cp -rf /bootflash/update-chnlist.sh /etc/chinadns/
guestshell run sudo cp -rf /bootflash/gfwuser.txt /etc/chinadns/
guestshell run sudo cp -rf /bootflash/gfwlist.txt /etc/chinadns/
guestshell run sudo cp -rf /bootflash/chnroute.txt /etc/chinadns/
guestshell run sudo cp -rf /bootflash/chnlist.txt /etc/chinadns/
guestshell run sudo cp -rf /bootflash/start.sh /etc/chinadns/
guestshell run sudo chmod -R 7777 /etc/chinadns/
guestshell run sudo cp -rf /bootflash/dns.service /usr/lib/systemd/system/
guestshell run sudo chmod 754 /usr/lib/systemd/system/dns.service
guestshell run sudo systemctl daemon-reload
guestshell run sudo systemctl enable dns.service --now
guestshell run sudo systemctl status dns
------point to dns -------
ip dhcp pool macbook-m1
host 192.168.0.77 255.255.255.0
client-identifier 01c4.910c.aba6.4d
dns-server 192.168.0.15
default-router 192.168.0.254
!
crypto ssl authorization policy sslvpn-auth-policy
dns 192.168.0.15
!
----------extenal router configuration---------
interfaces {
ethernet eth0 {
address dhcp
}
loopback lo {
}
tunnel tun0 {
address 192.168.255.5/28
encapsulation gre
multicast enable
parameters {
ip {
}
}
source-interface eth0
}
}
nat {
source {
rule 10 {
outbound-interface eth0
source {
address 192.168.0.0/16
}
translation {
address masquerade
}
}
}
}
protocols {
bgp 64512 {
address-family {
ipv4-unicast {
network 2.0.0.0/8 {
}
.......non-nation route.......
}
}
neighbor 192.168.255.2 {
address-family {
ipv4-unicast {
soft-reconfiguration {
inbound
}
}
}
remote-as 64512
update-source tun0
}
parameters {
graceful-restart {
stalepath-time 360
}
log-neighbor-changes
router-id 192.168.255.5
}
}
nhrp {
tunnel tun0 {
cisco-authentication ""
holding-time 600
map 192.168.255.2/28 {
nbma-address 'your domain name'
register
}
multicast nhs
shortcut
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name VPS-R
login {
user vyos {
authentication {
encrypted-password 'your password'
}
}
}
name-server 8.8.8.8
name-server eth0
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group ESP-HUB {
compression disable
lifetime 3600
mode transport
pfs disable
proposal 1 {
encryption 3des
hash md5
}
}
ike-group IKE-HUB {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 14
encryption 3des
hash md5
}
}
ipsec-interfaces {
interface eth0
}
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret 'your password'
}
bind {
tunnel tun0
}
esp-group ESP-HUB
ike-group IKE-HUB
}
}
}
explain:
Certain local client and remote clients will send dns requests to the guestshell.The dns service will determine whether the domain name in the request is in the nation.If the domain name in the dns request is not in the nation, it will be sent to a secure DNS server through an encrypted tunnel, and route to correct nexthop.
{
"listen": "0.0.0.0:53",
"udp-max-bytes": 4096,
"timeout": 5,
"cache_expire_sec": 600,
"domain2ip":{},
"dns-china": [
"192.168.0.254"
],
"dns-abroad": [
"8.8.8.8"
],
"chn_ip": [
"chnroute.txt"
],
"chn_domain": ["chnlist.txt"],
"gfw_domain": ["gfwlist.txt"],
"log_level": "error"
}
01-11-2023 03:25 AM
thanks a lot for this work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide