This page describes a way to setup a safe DNS server, witch can avoid DNS pollution and provide simple CDN speed up for users in China Mainland. This is, somehow, helpful for websites that ONLY had been DNS polluted by the GFW, but useless for those whose IPs had been banned.
I use dnsmasq to apply special rules of DNS resolving, and bind to process request from clients, binding on various ports and on both TCP and UDP protocol.
This method is for VPS(and of course, dedicate servers) that runs Linux systems, Unix should also okay but I hadn't tested, Windows not available.
The safe DNS servers are most likely to be set up outside GFW, for the servers are much more cheap. But if you are able to put one inside China Mainland, it will be far more closer to perfection.
I use dnsmasq at back-end of the server, to handling hosts and domain specific upstream. Most functions of the server are proceeded here. Then I put bind at the front, to bind requests from different ports, both TCP and UDP.
A DNS queue request come from a client first got binded by bind, on port 53, 233 and 4321, then the named process upstream the queue to localhost:4322 where the dnsmasq is binding, and then the request is processed by dnsmasq, follow my settings and rules, reutrn the proper result to bind, then to the client.
I didn't use dnsmasq directly handle the request, this is a trick to deal the fact that dnsmasq can only bind on a single port, and only on UDP. So I set it as the backend and use bind facing the clients.
Here are description of configurations, mostly on how and why, the full content of config files is hosted on GitHub, a link available at the end of this page.
The dnsmasq main config file is /etc/dnsmasq.conf or something like this, and here is a simple version of it. This is just enough to fit what I want.
1 # Configuration file for dnsmasq. 2 # 3 # Format is one option per line, legal options are the same 4 # as the long options legal on the command line. See 5 # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. 6 7 # The following two options make you a better netizen, since they 8 # tell dnsmasq to filter out queries which the public DNS cannot 9 # answer, and which load the servers (especially the root servers) 10 # uneccessarily. If you have a dial-on-demand link they also stop 11 # these requests from bringing up the link uneccessarily. 12 13 # Never forward plain names (without a dot or domain part) 14 domain-needed 15 # Never forward addresses in the non-routed address spaces. 16 bogus-priv 17 18 # Change this line if you want dns to get its upstream servers from 19 # somewhere other that /etc/resolv.conf 20 resolv-file=/etc/dnsmasq.resolv.conf 21 22 # Add other name servers here, with domain specs if they are for 23 # non-public domains. 24 #server=/localnet/192.168.0.1 25 #server=your.own.host.ip#53 26 server=127.0.0.1 27 port=4322 28 29 # If you don't want dnsmasq to read /etc/hosts, uncomment the 30 # following line. 31 #no-hosts 32 # or if you want it to read another file, as well as /etc/hosts, use 33 # this. 34 #addn-hosts=/etc/banner_add_hosts 35 addn-hosts=/etc/dnsmasq.hosts 36 37 # Set the cachesize here. 38 cache-size=8192 39 40 # Normally responses which come form /etc/hosts and the DHCP lease 41 # file have Time-To-Live set as zero, which conventionally means 42 # do not cache further. If you are happy to trade lower load on the 43 # server for potentially stale date, you can set a time-to-live (in 44 # seconds) here. 45 local-ttl=3600 46 47 # Include a another lot of configuration options. 48 #conf-file=/etc/dnsmasq.more.conf 49 conf-dir=/etc/dnsmasq.d