-
Notifications
You must be signed in to change notification settings - Fork 32
DNAT Setup
DNAT mode enables DNS-unblocking for multimedia players (or applications) which can't handle SNI but still using just a single IP address using DNAT trickery. See here for more information on this mode.
Non-conclusive list of devices which don't understand SNI:
- Xbox 360
- PS3
- All Sony Bravia TVs and Blu-ray players
- Older Samsung TVs
As some devices do not support SNI, we instead use DNS to point to a specific IP address for each domain, which all point to a virtual interface for some router, and then the router redirects each IP to a specific port on our proxy server. This has a few caveats, most importantly:
- You will either need the money for an IPv4 block, which is quite expensive
- Or you will need DD-WRT or similar firmware on your router, which is somewhat advanced.
- Another option is using a Raspberry PI for the iptables routing, which is as advanced as DD-WRT.
In short, you should consider the SNI mode first.
In any case, for setting up multiple IP addresses on a single interface, refer to here
Begin by cloning the repo: git clone https://github.com/jamiees2/dnsproxy.git
.
##Setting up config.json
Make sure that you have created config.json
and it is correct. There is a sample, config-sample.json
, which you can base your configuration on. Importantly, make sure public_ip
, base_ip
, and base_port
are all correct. See here for information on those options: https://github.com/jamiees2/dnsproxy/wiki/Config.json
-
base_ip
is the first IP to use, and then it will incrementally use the next IP address. The script will print out all these IP addresses, which you must make sure are virtual interfaces of your iptables router. -
base_port
is the first port to use, after which it will use the next port incrementally. These ports must be open on your HAproxy server for incoming traffic, along with being open for outgoing traffic on your local network.
Make sure to sync config.json
across all the servers/devices, as these commands are intended to be run on different servers/devices.
Note: Instead of running multiple dnsproxy.py
commands on different servers, you can instead run python dnsproxy.py -m dnat
anywhere and copy the configuration files between the servers/devices.
##Setting up HAproxy:
First, provision a server from any VPS provider, but make sure it is located in the country you would like your location to be. A 128 MB VPS is enough. Run these commands on that server.
Run the generator:
python dnsproxy.py -o haproxy --dnat
The generator will create the file output/haproxy.conf
Install HAproxy. On Ubuntu you can do the following (as root):
apt-get update -qq && apt-get install -y software-properties-common
add-apt-repository -y ppa:vbernat/haproxy-1.5
apt-get update -qq && apt-get install -y haproxy
Copy output/haproxy.conf
to /etc/haproxy.cfg
.
Restart HAproxy. sudo service haproxy restart
.
##Setting up DNSMasq You can set this up on the same server as haproxy, but because of serious security and latency issues, i would much rather reccomend to set this up locally instead.
First of all, generate the configuration by running python dnsproxy.py -o dnsmasq --dnat
If you are running dnsmasq on a server, like a Raspberry PI, install dnsmasq with sudo apt-get install dnsmasq
. Then set it up by copying output/dnsmasq-haproxy.conf
to /etc/dnsmasq.d/
. If /etc/dnsmasq.d/
doesn't exist, you might want to copy it to /etc/dnsmasq.conf
instead.
If you would like to setup dnsmasq on your router, assuming it is running DD-WRT, you can simply append the contents to the DNSMasq textbox under Services->DNSMasq.
##Setting up the hosts file (Optional, only neccessary if you didn't bother setting up dnsmasq) You can also use a hosts file, which will only work locally though.
Generate it with python dnsproxy.py -o hosts --dnat
. Append the contents of output/hosts-haproxy.txt
to /etc/hosts
or to %SystemRoot%\system32\drivers\etc\hosts
, depending if your local computer is Linux or Windows.
##Setting up iptables
This has to be on a local server, or on whatever server you happen to have allocated an IPv4 block for. If it is local, and you setup dnsmasq locally, you can use the same server.
Generate the iptables script with python dnsproxy.py -o iptables --dnat
If you have an iptables server:
You can setup iptables by running iptables-haproxy.sh
on your router, but keep in mind that those changes will not persist after restarting. Be sure to add it to the startup scripts so that it will persist.
You will need to enable IP forwarding. See here
For DD-WRT, simply paste the contents of iptables-haproxy.sh
into the textbox under Administration->Commands
and click Save Firewall.
Test your new setup with http://trick77.com/dns-unblocking-setup-tester/