<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 13/1/21 2:11 pm, Hongyi Zhao wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGP6POJ9We0K-+w2zh6+Y2vgYP9FUWUt5gaFA4qNcpRCx9NUCA@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">I'm very confused on the above problem. Any hints/comments/suggestions
will be highly appreciated.
</pre>
</blockquote>
<p>I think that something is intercepting your UDP DNS requests and
replying with the 192.168.1.1 result, probably to block you from
<a class="moz-txt-link-abbreviated" href="http://www.baidu.com">www.baidu.com</a>. But they forgot to intercept TCP.<br>
</p>
<p>It would have to be your own router or your ISP that is doing
this. The ISP's bridge modem can't do this as it is bridging - you
run PPPoE on your own router. (I don't know why it would also run
dnsmasq.)<br>
</p>
<p><br>
</p>
<p>You would probably find that DNSSEC also fails. This should work:</p>
<p>$ dig <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a> @1.1.1.1 +dnssec<br>
<br>
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian
<<>> <a class="moz-txt-link-abbreviated" href="http://www.cloudflare.com">www.cloudflare.com</a> @1.1.1.1 +dnssec<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
11118<br>
;; flags: qr rd ra <b>ad</b>; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 1<br>
</p>
<p><br>
</p>
<p>It doesn't seem to work with any of the upstream servers in your
list, but I can access both 1.1.1.1 and 8.8.8.8 from my test
machine in China.<br>
</p>
<p><br>
</p>
<p>I think the appropriate solution is to use DoH or DoT, which is
DNS over HTTPS or DNS over TLS, ie signed and encrypted DNS that
can't be intercepted by your ISP.<br>
</p>
<p><br>
</p>
<p>Hamish<br>
</p>
</body>
</html>