[Dnsmasq-discuss] The strange dns query error observed for fiber optic modem bridge mode.
Hamish Moffatt
hamish at moffatt.email
Wed Jan 13 04:03:44 UTC 2021
On 13/1/21 2:11 pm, Hongyi Zhao wrote:
> I'm very confused on the above problem. Any hints/comments/suggestions
> will be highly appreciated.
I think that something is intercepting your UDP DNS requests and
replying with the 192.168.1.1 result, probably to block you from
www.baidu.com. But they forgot to intercept TCP.
It would have to be your own router or your ISP that is doing this. The
ISP's bridge modem can't do this as it is bridging - you run PPPoE on
your own router. (I don't know why it would also run dnsmasq.)
You would probably find that DNSSEC also fails. This should work:
$ dig www.cloudflare.com @1.1.1.1 +dnssec
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> www.cloudflare.com @1.1.1.1
+dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11118
;; flags: qr rd ra *ad*; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
It doesn't seem to work with any of the upstream servers in your list,
but I can access both 1.1.1.1 and 8.8.8.8 from my test machine in China.
I think the appropriate solution is to use DoH or DoT, which is DNS over
HTTPS or DNS over TLS, ie signed and encrypted DNS that can't be
intercepted by your ISP.
Hamish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210113/747131f5/attachment.html>
More information about the Dnsmasq-discuss
mailing list