分享一个更靠谱的办法，基于Unbound或DNSCrypt-proxy

realconnor commented 8 years ago

先声明：下面的方法只在教育网（双栈）环境下做过实验。因为也没博客，就写在这儿了，欢迎转载，注明出处 2016/08/05 by IMconnor。

前段时间因为HOSTS没有及时更新，导致Youtube重定向到googlevideo.com失败，大多数视频没办法观看，所以放弃了改HOSTS这个办法。本来想早点把方法分享出来造福大家:) 但是我懒…

我们知道，在教育网的环境下只要DNS查询能拿到正确的aaaa记录就成了，拿到以后效果就和改HOSTS没两样，区别在于采用DNS查询的方式比较省事，不需要动不动就跑来这里看有没有更新（而且这儿更新也…不及时）。但是呢，国内的DNS查询的敏感域名返回的都是一些奇怪的地址，即所谓的DNS污染。解决DNS污染的办法有几种：一个就是用DNSCrypt这类软件来加密你的查询，另一个就是强制采用TCP的方式来查询（目前还不会被reset掉，以后不知道，所以相对来说用加密更“未雨绸缪”）。

我在OpenWRT固件的路由器上采用的第一种办法，结合预装的DNSmasq（本来也想用Unbound，但是无奈flash太小装不下…dnscrypt-proxy比较小巧）。在PC机上采用的第二种办法，使用Unbound强制使用TCP查询（需要说明的是，Unbound在PC机上也可以把DNS查询转发给dnscrypt）。下面就以PC机为例来说明：

一、安装Unbound，下载链接 https://www.unbound.net/index.html 二、配置Unbound，可以参考官网的文档，这里给一个示例以默认安装路径C:\Program Files (x86)\Unbound为例，将example.conf复制一份并重命名为service.conf，我的内容如下，“#文字”为注释，使用的时候可以删掉

#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.5.8.
#
# this is a comment.

#Use this to include other text into the file.
#include: "otherfile.conf"

# The server clause sets the main parameters.
server:
    # number of threads to create. 1 disables threading.
    num-threads: 4

    # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
    #0 is system default.  Use 4m to catch query spikes for busy servers.
    so-rcvbuf: 4m

    # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
    #0 is system default.  Use 4m to handle spikes on very busy servers.
    so-sndbuf: 4m

    # use SO_REUSEPORT to distribute queries over threads.
    so-reuseport: yes

    # the amount of memory to use for the message cache.
    # plain value in bytes or you can append k, m or G. default is "4Mb".
    msg-cache-size: 16m

    # the amount of memory to use for the RRset cache.
    # plain value in bytes or you can append k, m or G. default is "4Mb".
    rrset-cache-size: 16m

    # number of outgoing simultaneous tcp buffers to hold per thread.
    outgoing-num-tcp: 64

    # number of incoming simultaneous tcp buffers to hold per thread.
    incoming-num-tcp: 64

    # specify the interfaces to answer queries from by ip-address.
    # The default is to listen to localhost (127.0.0.1 and ::1).
    # specify 0.0.0.0 and ::0 to bind to all available interfaces.
    # specify every interface[@port] on a new 'interface:' labelled line.
    # The listen interfaces are not changed on reload, only on restart.
    interface: 127.0.0.1
    interface: ::1

    # Enable IPv4, "yes" or "no".
    do-ip4: yes

    # Enable IPv6, "yes" or "no".
    do-ip6: yes

    # Enable UDP, "yes" or "no".
    do-udp: yes

    # Enable TCP, "yes" or "no".
    do-tcp: yes

    # upstream connections use TCP only (and no UDP), "yes" or "no"
    # useful for tunneling scenarios, default no.
    # 这个参数必须为”yes“，表示强制采用TCP查询
    tcp-upstream: yes

    # control which clients are allowed to make (recursive) queries
    # to this server. Specify classless netblocks with /size and action.
    # By default everything is refused, except for localhost.
    # Choose deny (drop message), refuse (polite error reply),
    # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
    # deny_non_local (drop queries unless can be answered from local-data)
    # refuse_non_local (like deny_non_local but polite error reply).
    # access-control: 0.0.0.0/0 refuse
    # access-control: 127.0.0.0/8 allow
    # access-control: ::0/0 refuse
    # access-control: ::1 allow
    access-control: ::ffff:127.0.0.1 allow

    # file to read root hints from.
    # get one from https://www.internic.net/domain/named.cache
    # ”named.cache.txt“这个文件可以去上面的链接下载，不要就注释掉下面这行
    root-hints: "C:\Program Files (x86)\Unbound\named.cache.txt"

    # enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    # enable to not answer version.server and version.bind queries.
    hide-version: yes

    # Harden against out of zone rrsets, to avoid spoofing attempts.
    harden-glue: yes

    # Use 0x20-encoded random bits in the query to foil spoof attempts.
    # This feature is an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes

    # If nonzero, unwanted replies are not only reported in statistics,
    # but also a running total is kept per thread. If it reaches the
    # threshold, a warning is printed and a defensive action is taken,
    # the cache is cleared to flush potential poison out of it.
    # A suggested value is 10000000, the default is 0 (turned off).
    unwanted-reply-threshold: 10000000

    # Do not query the following addresses. No DNS queries are sent there.
    # List one address per entry. List classless netblocks with /size,
    # do-not-query-address: 127.0.0.1/8
    # do-not-query-address: ::1

    # if yes, the above default do-not-query-address entries are present.
    # if no, localhost can be queried (for testing and debugging).
    # do-not-query-localhost: yes

    # if yes, Unbound doesn't insert authority/additional sections
    # into response messages when those sections are not required.
    minimal-responses: yes

    # if yes, perform prefetching of almost expired message cache entries.
    prefetch: yes

    # module configuration of the server. A string with identifiers
    # separated by spaces. Syntax: "[dns64] [validator] iterator"
    # module-config: "validator iterator"

# Forward zones
# Create entries like below, to make all queries for 'example.com' and
# 'example.org' go to the given list of servers. These servers have to handle
# recursion to other nameservers. List zero or more nameservers by hostname
# or by ipaddress. Use an entry with name "." to forward all queries.
# If you enable forward-first, it attempts without the forward if it fails.
# forward-zone:
#   name: "example.com"
#   forward-addr: 192.0.2.68
#   forward-addr: 192.0.2.73@5355  # forward to port 5355.
#   forward-first: no

# 等会再来贴这行的内容，注意先后顺序，这行得出现在forward-zone之前
include: "C:\Users\Connor\Desktop\miscellaneous\except_namespace"

# 请自己填贵校的DNS地址，注释掉的不用管    
forward-zone:
    name: "."   
    forward-addr: 你的主DNS
    forward-addr: 你的备DNS
#   forward-addr: 2620:0:ccc::2
#   forward-addr: 2001:470:20::2    
#   forward-addr: 2001:4860:4860::8844  
#   forward-addr: 2620:0:ccd::2 
#   forward-addr: 2001:470:0:9d::2
#   forward-addr: 2001:4860:4860::8888

三、配置被污染域名列表，即上面配置文件中的这行所示文件 include: "C:\Users\Connor\Desktop\miscellaneous\except_namespace" 不采用Unbound把所有查询转发到比如2001:4860:4860::8844这类解析器，主要考虑是这样上国内网站太慢了，因为分配CDN的时候主要基于DNS，有些视频网站甚至上不了。所以我基于这儿的hosts文件稍微处理了一下，整理出来了一分需要转发到国外DNS解析器的域名列表，（也有人思路是反过来的，整理出了国内所有域名列表来做排除，个人认为有点折腾，毕竟我只想上Google和Youtube而已…），如下

forward-zone:
    name: "abc.xyz"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "com.google"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "registry.google"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "nic.google"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googletagmanager.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.hk"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlechinawebmaster.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "g.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleusercontent.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "265.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.tw"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.jp"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.ae"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.ar"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.at"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.au"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.be"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.br"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.ca"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.ch"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.fi"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.fr"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.de"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.gr"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.il"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.in"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.it"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.jp"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.kr"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.lt"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.lv"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.ly"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.my"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.nl"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.nz"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.pe"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.ph"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.pk"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.pl"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.pt"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.ro"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.ru"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.sg"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.sk"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.tr"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.ua"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.uk"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.ve"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.com.vn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.za"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlemashups.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "appspot.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "withgoogle.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "thinkwithgoogle.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.co.th"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "blogger.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "blogblog.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "textcube.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "blogspot.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "chrome.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "chromium.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlecode.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlesource.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googledrive.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "keyhole.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gmail.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlemail.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlegroups.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlelabs.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gstatic.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleusercontent.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "orkut.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gmodules.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlepages.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gvt0.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlewave.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gmodules.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "ggpht.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gstatic.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleapis.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlehosted.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "doubleclick.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "2mdn.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googletagservices.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleadsserving.cn"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google-analytics.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleartproject.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "feedburner.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "golang.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "goo.gl"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "g.co"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "html5rocks.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "google.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "panoramio.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "polymer-project.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "recaptcha.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "waveprotocol.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "webmproject.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "webm-ccl.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlezip.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "chromercise.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "chromeexperiments.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "20thingsilearned.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleechotest.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "creativelab5.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "data-vocabulary.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleinsidesearch.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "teachparentstech.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "agoogleaday.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gosetsuden.jp"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gwtproject.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "thegooglepuzzle.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "thegobridgeoglepuzzle.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "oneworldmanystories.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlezeitgeist.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "emailintervention.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "dartlang.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "certificate-transparency.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlesyndication.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googleadservices.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "android.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "youtube.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "youtube-nocookie.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "youtu.be"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "ytimg.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gvt0.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gvt1.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "googlevideo.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "facebook.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "fbsbx.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "messenger.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "fb.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "thefacebook.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "facebook.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "fbcdn.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "akamaihd.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "cdninstagram.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "instagram.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikipedia.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikimedia.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikimediafoundation.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "mediawiki.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikibooks.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikinews.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikiquote.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikisource.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wiktionary.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wikiversity.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "gravatar.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "plurk.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "yahoo.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "yimg.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "yieldmanager.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "uncyclopedia.hk"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "uncyclopedia.info"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "uncyclopedia.tw"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "uncyclomedia.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "uncyc.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "ansaikuropedia.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "vncdn.co"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "vine.co"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "tumblr.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "flickr.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "staticflickr.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "github.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "githubapp.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "githubusercontent.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "stackoverflow.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "stackexchange.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "sstatic.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "stackapps.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "superuser.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "askubuntu.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "serverfault.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "mathoverflow.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "mathjax.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "imgur.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "pastebin.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "edgecastcdn.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "tweetdeck.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "whicdn.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "viglink.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wordpress.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wp.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "wordpress.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "xda-developers.com"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "ptt.cc"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "getlantern.org"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "akamaiedge.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "akamai.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "cloudfront.net"
    forward-addr: 2001:4860:4860::8844
forward-zone:
    name: "cotcdn.net"
    forward-addr: 2001:4860:4860::8844

文件中的2001:4860:4860::8844可以随意替换成你喜欢的解析器地址，比如OPENDNS之类的，主要用Google服务的话，还是它自家的快一点。然后这里面如果不包含你想上的网站的forward-zone，自己加吧。四、重启Unbound服务五、刷新DNS缓存 ipconfig /flushdns 六、设置DNS地址七、比较遗憾的是，下面这几个域名没有aaaa记录

# Google
2404:6800:4005:80b::2003 scholar.google.com
2404:6800:4005:80b::2003 scholar.google.com.hk
2404:6800:4005:80b::2003 scholar.google.com.tw
2404:6800:4005:800::2003 scholar.google.cn #www.google.cn
2404:6800:4005:80b::2003 scholar.l.google.com

2404:6800:4008:c02::11    android.clients.google.com
2404:6800:4008:c02::11    android.l.google.com
2404:6800:4008:c02::11    wifi.google.com
2404:6800:4008:c02::11    wifi.l.google.com

幸好这几个域名不怎么变，所以可以把它们放到HOSTS里面。这样基本上就完美地解决了通过IPv6使用Google服务的问题。

最后，如果你的路由器也装不下Unbound，而是安装了dnscrypt的话，配置也很简单，上面的except_namespace文件稍微处理一下，include到dnsmasq的配置文件里，变成这种格式 list server '/google.com.tw/127.0.0.1#5353' 还能在网页管理界面更改，应该是在dhcp/dns那儿。如果你的路由器上不了ipv6，看我的一个回答https://www.zhihu.com/question/29667477/answer/93634257 。另外我不知道插在lan口然后关dhcp那样上ipv6能不能通过这个办法上Google，那样主要是连个客户端就要校园网认证我个人比较嫌弃:( 祝大家使用愉快:)

realconnor commented 8 years ago

somehow上面回答里的的url都打不开，可以复制再打开。

另外，如果大家有更加完整的except_namespace文件，欢迎共享出来。比如这两天twitter被reset了（上一个issue也提到了），因为它对IPv6支持不完整，主站就没aaaa记录，所以也没啥办法，只能翻墙。

realconnor commented 8 years ago

还有就是希望lennylxx别关掉这个issue :+1:

phy25 commented 8 years ago

关掉这个 issue，也不影响你留言 😮

2016年8月5日下午5:23，"IMconnor" notifications@github.com写道：

还有就是希望lennylxx别关掉这个issue 👍

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lennylxx/ipv6-hosts/issues/67#issuecomment-237804345, or mute the thread https://github.com/notifications/unsubscribe-auth/AAUOi89Pz3zVS0-SfD7hH7ZGQUjgvsjeks5qcwEJgaJpZM4Jdfkg .

realconnor commented 8 years ago

关掉了不好找啊

maxchendt commented 8 years ago

根据我的日志，“2015-12-11 16:26”之前，LZ的方法在我这边是可行的，之后，就不好使了。 tcp reset 或者干脆被drop 从那以后，我采用的是 ss-tunnel 的 udp relay 加密中转dns

realconnor commented 8 years ago

是吗？那你试试 nslookup -vc google.com 2001:4860:4860::8844 如果能查询说明没问题吧，因为我还没见过TCP的查询被污染。实在不成可以结合dnscrypt来用，其它设置都一样，可以关掉tcp-upstream，然后把dns转发给dnscrypt的本地地址。

maxchendt commented 8 years ago

不靠谱，时而正常，时而tcp reset, 时而没有相应(被drop) dig +tcp +short google.com @2001:4860:4860::8844 216.58.221.110 dig aaaa +tcp +short google.com @2001:4860:4860::8844 2404:6800:4005:80a::200e 而且，解析到的 2404:6800:4005 这个网段，虽然ping6很快，但https不能连接（数据被drop）。必须通过其他方式，解析成其他的网段，我们这边才可以快速连接

realconnor commented 8 years ago

哦明白了，谷歌的DNS服务器会返回就近的（香港）结果，香港的那个前段时间会证书错误，应该也是一种攻击手段，导致浏览器主动Reset。不过我用Chrome没问题，别的浏览器会这样。换成2620:0:ccc::2，解析到洛杉矶就行了。

LGA1150 commented 8 years ago

@IMconnor 其实是IP的TCP 80/443端口被墙，没你想的那么高级实际上我已经实现了基于 dnsmasq Pcap_DNSProxy 的 https://github.com/bazingaterry/SYSUv6-DNS

realconnor commented 8 years ago

@LGA1150，中山大学的网络环境和别的学校可能不一样。。。然后请教下既然HTTPS被墙，为什么Chrome可以？是用了它自己的QUIC协议吗？因为没深入去抓包研究。

LGA1150 commented 8 years ago

但是据我所知，全国的IPv6环境是一样的；封了TCP 80/443端口，没封ping，SYN发过去就会收到一堆RST+ACK

realconnor commented 8 years ago

我指你的Pcap_DNSProxy 针对贵校“网络流量大多数的出口是中国联通和中国移动”，这个不同，所以你这个项目不适合用于别的学校。至于ipv6，我这儿真的没问题，syn过去都是rst那这个hosts项目还能用吗？而实际是，我的PC用谷歌DNS工作正常（TCP），解析结果和hosts是一样的，因为和此项目的更新脚本用的一个resolver（2001:4860:4860::8844）。

PS C:\Users\Connor> nslookup.exe google.com
服务器:  localhost
Address:  127.0.0.1

非权威应答:
名称:    google.com
Addresses:  2404:6800:4005:802::200e
          216.58.221.238

而openwrt用的dnsmasq+dnscrypt，dnscrypt用的resolver是cisco的2620:0:ccc::2，解析出的google地址在洛杉矶，同样没问题。

PS C:\Users\Connor> nslookup.exe google.com
服务器:  OpenWrt.lan
Address:  192.168.1.1

非权威应答:
名称:    google.com
Addresses:  2607:f8b0:4007:80b::200e
          216.58.193.206

我有空抓下包吧哎。。。

LGA1150 commented 8 years ago

1, “大部分”其实就是指IPv4 2, 只封了 2404:6800:4005:80x::200e ，其他的没有

realconnor commented 8 years ago

你们那200e被墙了？好吧，可是我的解析出来是2404:6800:4005:802::200e，用得好好的…看来还是得具体问题具体分析

LGA1150 commented 8 years ago

x = 0, 1, 8, 9, a, b

lennylxx / ipv6-hosts

分享一个更靠谱的办法，基于Unbound或DNSCrypt-proxy #67