Total Pageviews

Sunday, 25 January 2015

chinadns-用来修复中国境内的怪异DNS问题的工具

Fix weird things with DNS in China.
If you want to fix other weird things as well, you might also want to use ShadowVPN.

Install

  • Linux / Unix
    Download a release.
    ./configure && make
    src/chinadns -m -c chnroute.txt
    
  • OpenWRT
    • Download precompiled for OpenWRT trunk and CPU: ar71xx, brcm63xx, brcm47xx, ramips_24kec. Open an issue if you think your CPU is a popular one but not listed here.
    • If you use other CPU or other OpenWRT versions, build yourself: cd into SDK root, then
        pushd package
        git clone https://github.com/clowwindy/ChinaDNS.git
        popd
        make menuconfig # select Network/ChinaDNS
        make -j
        make V=99 package/ChinaDNS/openwrt/compile
      
  • Tomoto
    • Download Tomato toolchain, build by yourself.
    • Uncompress the downloaded file to ~/.
    • Copy the brcm directory under ~/WRT54GL-US_v4.30.11_11/tools/ to /opt, then
        export PATH=/opt/brcm/hndtools-mipsel-uclibc/bin/:/opt/brcm/hndtools-mipsel-linux/bin/:$PATH
        git clone https://github.com/clowwindy/ChinaDNS.git
        cd ChinaDNS
        ./autogen.sh && ./configure --host=mipsel-linux --enable-static && make
      
  • Windows
    Download Python exe version.

Usage

  • Linux / Unix Recommand using with option "-m" (DNS pointer mutation method) Run sudo chinadns -m -c chnroute.txt on your local machine. ChinaDNS creates a UDP DNS Server at 0.0.0.0:53.
  • OpenWRT
    opkg install ChinaDNS_1.x.x_ar71xx.ipk
    /etc/init.d/chinadns start
    
    (Optional) We strongly recommend you to set ChinaDNS as a upstream DNS server for dnsmasq instead of using ChinaDNS directly:
    1. Run /etc/init.d/chinadns stop
    2. Remove the 2 lines containing iptables in /etc/init.d/chinadns.
    3. Update /etc/dnsmasq.conf to use only 127.0.0.1#5353:
      no-resolv
      server=127.0.0.1#5353
      
    4. Restart chinadns and dnsmasq
Test if it works correctly:
$ dig @192.168.1.1 www.youtube.com -p5353
; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 www.google.com -p5353
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16179
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN  A

;; ANSWER SECTION:
www.google.com.     215 IN  A   173.194.127.50
www.google.com.     215 IN  A   173.194.127.49
www.google.com.     215 IN  A   173.194.127.48
www.google.com.     215 IN  A   173.194.127.52
www.google.com.     215 IN  A   173.194.127.51

;; Query time: 197 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Thu Jan  1 02:37:16 2015
;; MSG SIZE  rcvd: 112
Currently ChinaDNS only supports UDP. Builtin OpenWRT init script works with dnsmasq, which handles TCP. If you use it directly without dnsmasq, you need to add a redirect rule for TCP:
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8:53

Advanced

usage: chinadns [-h] [-l IPLIST_FILE] [-b BIND_ADDR] [-p BIND_PORT]
       [-c CHNROUTE_FILE] [-s DNS] [-v]
Forward DNS requests.

-h, --help            show this help message and exit
-l IPLIST_FILE        path to ip blacklist file
-c CHNROUTE_FILE      path to china route file
                      if not specified, CHNRoute will be turned off
-d                    enable bi-directional CHNRoute filter
-y                    delay time for suspects, default: 0.3
-b BIND_ADDR          address that listens, default: 127.0.0.1
-p BIND_PORT          port that listens, default: 53
-s DNS                DNS servers to use, default:
                      114.114.114.114,208.67.222.222:443,8.8.8.8
-m                    Using DNS compression pointer mutation
                      (backlist and delaying would be disabled)
-v                    verbose logging

About chnroute

You can generate latest chnroute.txt using this command:
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > chnroute.txt 
 
from https://github.com/clowwindy/ChinaDNS
下载地址:http://sourceforge.net/projects/chinadns/ 
------------------------

我的补充说明:

在mac机器上.
git clone https://github.com/shadowsocks/ChinaDNS
cd ChinaDNS
./autogen.sh
./configure
make
(make后,会在~/ChinaDNS/src/里面生成可执行文件chinadns)
cd src
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.222.222:443
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.222.222:5353 
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.220.220:443  
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.220.220:5353 
sudo ./chinadns -b 0.0.0.0 -p 53 -s my-vps-ip:53538
(本条命令可改为sudo ALL_PROXY=socks5://localhost:1080 ./chinadns -b 0.0.0.0 -p 53 -s 8.8.8.8:53 )  
 
实际使用例子:
sudo wg-quick up wg0 

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

cd ~/ChinaDNS/src
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.222.222:443
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.222.222:5353 
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.220.220:443  
sudo ./chinadns -b 0.0.0.0 -p 53 -s 208.67.220.220:5353 
sudo ./chinadns -b 0.0.0.0 -p 53 -s my-vps-ip:53538
 
 
突破口就在于:服务器上的DNS的端口不一定只能用53.
幸运的是,GFW 确实只会检测53端口的 DNS 数据包,而且 OpenDNS server 除了53,还提供了4435353端口的 DNS 服务.

(为什么使用 ChinaDNS 而不是直接使用 OpenDNS

  1. 我们必须使用非53端口去查询国外 DNS 才能得到没有被 GFW 篡改的正确解析结果,ChinaDNS 可以自定义使用的DNS 的端口,而 Windows 系统的 DNS 设置定死了使用53端口
  2. 如果通过 OpenDNS 去解析国内网站,那么很可能会得到一个海外 IP(很多大公司都会配备有海外服务器供海外华人使用,例如京东啦淘宝啦B站啦),这样会导致访问国内网站访问速度很慢 而 ChinaDNS 可以根据 chnrouter 来判断,如果从国内 DNS 里解析到国内 IP 的话就使用,对于国外网站会过滤掉从国内 DNS 解析得到的被污染的结果,十分完美的解决了这个问题.)
  3. 建议使用chrome翻墙。我设置chinadns后,居然用ff翻墙失败,用chrome就没有问题。
--------------------------------------------------------------------
 
go re-implementation of ChinaDNS.
 
cd $GOPATH
go get -u -v github.com/YueHonghui/chinadns  
可执行文件chinadns就会出现在$GOBIN/里面。
 
chinadns -h
会显示:
Usage of chinadns:
  -V print version and exit
  -b string
     address that listens (default "0.0.0.0")
  -c string
     path to china route file (default "./chinaroute.txt")
  -d off enable bi-directional CHNRoute filter
  -l string
     path to ip blacklist file
  -logpath string
     logpath (default "/var/log/chaindns")
  -m use DNS compression pointer mutation
  -p int
     port that listens (default 53)
  -s string
     DNS servers to use (default "223.6.6.6,8.8.4.4")
  -v verbose logging
  -y float
     delay time for suspects (default 0.3) 
 
项目地址:https://github.com/YueHonghui/chinadns 
--------

一个专注于高性能的DNS分流器。开箱即用。支持按IP与域名分流,按CNAME分流,ECS扩展,分流更准。
支持IPv6,DoH。支持Openwrt等平台。

mos-chinadns

功能、教程以及手册,详见:wiki
部分设计参考:
依赖
资源


https://github.com/freeasbird/mos-chinadns