welcome: please sign in
location: SafeDNS

This page describes a way to setup a safe DNS server, witch can avoid DNS pollution and provide simple CDN speed up for users in China Mainland. This is, somehow, helpful for websites that ONLY had been DNS polluted by the GFW, but useless for those whose IPs had been banned.

I use dnsmasq to apply special rules of DNS resolving, and bind to process request from clients, binding on various ports and on both TCP and UDP protocol.

This method is for VPS(and of course, dedicate servers) that runs Linux systems, Unix should also okay but I hadn't tested, Windows not available.

The safe DNS servers are most likely to be set up outside GFW, for the servers are much more cheap. But if you are able to put one inside China Mainland, it will be far more closer to perfection.

Server Structure

I use dnsmasq at back-end of the server, to handling hosts and domain specific upstream. Most functions of the server are proceeded here. Then I put bind at the front, to bind requests from different ports, both TCP and UDP.

A DNS queue request come from a client first got binded by bind, on port 53, 233 and 4321, then the named process upstream the queue to localhost:4322 where the dnsmasq is binding, and then the request is processed by dnsmasq, follow my settings and rules, reutrn the proper result to bind, then to the client.

I didn't use dnsmasq directly handle the request, this is a trick to deal the fact that dnsmasq can only bind on a single port, and only on UDP. So I set it as the backend and use bind facing the clients.

Server Config

Here are description of configurations, mostly on how and why, the full content of config files is hosted on GitHub, a link available at the end of this page.


The dnsmasq main config file is /etc/dnsmasq.conf or something like this, and here is a simple version of it. This is just enough to fit what I want.

   1 # Configuration file for dnsmasq.
   2 #
   3 # Format is one option per line, legal options are the same
   4 # as the long options legal on the command line. See
   5 # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
   7 # The following two options make you a better netizen, since they
   8 # tell dnsmasq to filter out queries which the public DNS cannot
   9 # answer, and which load the servers (especially the root servers)
  10 # uneccessarily. If you have a dial-on-demand link they also stop
  11 # these requests from bringing up the link uneccessarily.
  13 # Never forward plain names (without a dot or domain part)
  14 domain-needed
  15 # Never forward addresses in the non-routed address spaces.
  16 bogus-priv
  18 # Change this line if you want dns to get its upstream servers from
  19 # somewhere other that /etc/resolv.conf
  20 resolv-file=/etc/dnsmasq.resolv.conf
  22 # Add other name servers here, with domain specs if they are for
  23 # non-public domains.
  24 #server=/localnet/
  25 #server=your.own.host.ip#53
  26 server=
  27 port=4322
  29 # If you don't want dnsmasq to read /etc/hosts, uncomment the
  30 # following line.
  31 #no-hosts
  32 # or if you want it to read another file, as well as /etc/hosts, use
  33 # this.
  34 #addn-hosts=/etc/banner_add_hosts
  35 addn-hosts=/etc/dnsmasq.hosts
  37 # Set the cachesize here.
  38 cache-size=8192
  40 # Normally responses which come form /etc/hosts and the DHCP lease
  41 # file have Time-To-Live set as zero, which conventionally means
  42 # do not cache further. If you are happy to trade lower load on the
  43 # server for potentially stale date, you can set a time-to-live (in
  44 # seconds) here.
  45 local-ttl=3600
  47 # Include a another lot of configuration options.
  48 #conf-file=/etc/dnsmasq.more.conf
  49 conf-dir=/etc/dnsmasq.d





SafeDNS (last edited 2012-11-02 03:21:56 by 183)

How many stars in your bowl, How many sorrows in your soul?
CopyRight © 2011-2021 Allen Zhong, under a CC BY-NC-ND 4.0 License.