A drop-in replacement for ChinaDNS, with some additional features. NOTICE: This project is not under active development: I believe Clash has provided a more elegant DNS & proxy solution. So there is no need to maintain this project. Have fun guys!
GoChinaDNS is a DNS proxy, which smartly dispatches DNS questions to get nearest answers. This can be a drop-in replacement for ChinaDNS, with a better code implementation and several bugfixes.


Binaries for linux, windows and darwin (macOS) are available under Releases.

You will also need a list of IP ranges in China, such as @pexcn/chnroute.txt.


This project is written in Go. If you want to build it yourself, you need to install Go first.

git clone
cd gochinadns
go get -u ./...
cd cmd/chinadns
go build



./chinadns -p 5553 -c ./chnroute.txt -v


dig @::1 -p5553

Advanced usage

Customize upstream servers

./chinadns -p 5553 -c ./chnroute.txt -s,

In this example, is the trusted resolver and can be a local dns forwarder (e.g. dnscrypt-proxy).

Note: you still need to make sure that your trusted upstream resolver is accessible through a secure channel otherwise your DNS will still get poisoned.

Specify resolver protocol

The default format for upstream resolvers is ip:port for backwards compatibility with ChinaDNS. Resolvers can also be passed as protocol[+protocol]@ip:port where protocol is udp or tcp. Protocols are dialed in the order they are written (left to right). The rightmost protocol acts as a fallback and will only be dialed if the leftmost fails.

For example, if the upstream resolver is a local dns forwarder on port 5353, it can be passed as udp@ because fallback to TCP is not necessary.

Similarly, if you run a transparent TCP proxy that proxies traffic to you could use tcp@

./chinadns -p 5553 -c ./china.list -s udp+tcp@,udp@,tcp@


$ ./chinadns -h

Usage of chinadns:
  -V    Print version and exit.
  -b string
        Bind address. (default "::")
  -c string
        Path to China route list. Both IPv4 and IPv6 are supported. See (default "./china.list")
  -d    Drop results of trusted servers which containing IPs in China. (Bidirectional mode.) (default true)
  -domain-blacklist string
        Path to domain blacklist file.
  -domain-polluted string
        Path to polluted domains list. Queries of these domains will not be sent to DNS in China.
        Force DNS queries use TCP only. Only applies to resolvers declared in ip:port format.
  -l string
        Path to IP blacklist file.
  -m    Enable compression pointer mutation in DNS queries.
  -p int
        Listening port. (default 53)
        Enable SO_REUSEPORT to gain some performance optimization. Need Linux>=3.9 (default true)
  -s value
        Comma separated list of upstream DNS servers. Need China route list to check whether it's a trusted server or not.
        Servers can be in format ip:port or protocol[+protocol]@ip:port where protocol is udp or tcp.
        Protocols are dialed in order left to right. Rightmost protocol will only be dialed if the leftmost fails.
        Protocols will override force-tcp flag. If empty, protocol defaults to udp+tcp (tcp if force-tcp is set) and port defaults to 53.
        Examples: udp@,udp+tcp@, (default udp+tcp@,udp+tcp@
  -test-domains string
        Domain names to test DNS connection health. (default ",")
  -timeout duration
        DNS request timeout (default 1s)
  -trusted-servers value
        Comma separated list of servers which (located in China but) can be trusted.
        Uses the same format as -s.
  -udp-max-bytes int
        Default DNS max message size on UDP. (default 4096)
  -v    Enable verbose logging.
  -y float
        Delay (in seconds) to query another DNS server when no reply received. (default 0.1)