使用dnsmasq, 拒绝dns污染

目前dns污染十分严重, 无论是国内(如:223.5.5.5, 233.6.6.6 阿里dns), 还是国外(如: 208.67.220.220, 208.67.222.222 OpenDNS) 全部沦陷.

~ ᐅ dig  @223.5.5.5 www.google.com 
;; ANSWER SECTION:
www.google.com.        3171    IN  A   93.46.8.89

;; Query time: 10 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: Fri Jan 06 16:02:14 CST 2017
;; MSG SIZE  rcvd: 48

~ ᐅ dig  @208.67.220.220 www.google.com
;; ANSWER SECTION:
www.google.com.        3174    IN  A   93.46.8.89

;; Query time: 66 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Fri Jan 06 16:04:25 CST 2017
;; MSG SIZE  rcvd: 62

虽然都能获取到ip 93.46.8.89, 但是 93.46.8.89 并不是实际的服务器地址, 换句话说, www.google.com 这个域名被 dns 污染了

# ip.cn 查询结果
您查询的 IP:93.46.8.89
所在地理位置:意大利
GeoIP: Catania, Sicilia, Italy  
Fastweb  

解决方法

目前 dns 污染只针对 53 端口, 换用OpenDNS443, 5353 端口查询, 可以避免被污染

~ ᐅ dig  @208.67.220.220 -p 443 www.google.com
;; ANSWER SECTION:
www.google.com.        300 IN  A   216.58.200.228

;; Query time: 356 msec
;; SERVER: 208.67.220.220#443(208.67.220.220)
;; WHEN: Fri Jan 06 16:16:26 CST 2017
;; MSG SIZE  rcvd: 59
# ip.cn 查询结果
您查询的 IP:216.58.200.228
所在地理位置:美国 Google
GeoIP: Mountain View, California, United States  
Google  

系统默认情况下只能用53端口查询 dns, dnsmasq 却可以自定义查询端口

安装

# install for debain, ubuntu
sudo apt install dnsmasq

# install for mac
brew install dnsmasq  

配置

# /etc/dnsmasq.conf

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv  # 禁用 resolv.conf

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
no-hosts # 不读取 /etc/hosts,  不然对 hosts 文件的修改需要重启 dnsmasq 才能生效
# /etc/dnsmasq.d/server.conf

# 使用5353, 443 端口查询被污染的域名
server=/google.com/208.67.222.222#5353  
server=/twitter.com/208.67.222.222#5353  
server=/facebook.com/208.67.222.222#5353  
server=208.67.220.220#443  
server=208.67.222.222#443

# 使用国内dns查询未被数污染的域名, 加速查询速度
server=223.5.5.5  
server=223.6.6.6  
# restart dnsmasq for debian, ubuntu
sudo systemctl restart dnsmasq.service