ChinaDNS worked with DNSCrypt?

[zw963]

Hi, Thanks a lot this project.

Current, I install ss-redir with chinadns in my ASUS RT-AC66U.

I don't set anythings, Just chinadns listening on port 5356, ss-redir listening on port 1081, And, iptables redirect foreign ip into 1081 port, then set chinadns as dnsmasq upsteram.

It seem like all things work well for me, not found any dns problem for use two days.

Following is version and arguments

ss-redir 2.4.5 -c /opt/etc/shadowsocks.json -l 1081 chinadns 1.3.2 -l /opt/etc/chinadns_iplist.txt -c /opt/etc/chinadns_chnroute.txt -p 5356 dnsmasq 2.7.6

I am not start ss-redir with -u enabled, and not start ss-tunnel too. What i wonder for is, dnscrypt is still need for this case?

Thanks.

i

[s7lx]

@zw963 you need to set upstream server for chinadns as dnscrypt.

chinadns need more than one dns server as upstream server.

so you can run chinadns like this:

chinands -l chinadns_iplist.txt -c chnroute.txt -s 114.114.114.114,<dnscrypt server ip> -p 5356

then dnscrypt will be upstream server for chinadns

[zw963]

@s7lx , Thanks.

I understood how to do now, but, I don't know why to do this.

current, for chinadns, I am not specify any -s argument, so chinadns just use default value. in this case, it value is 114.114.114.114,208.67.222.222:443,8.8.8.8

I could access twitter, youtube, facebook now, so I think DNS udp query is worked with crypt enabled. ( aes-256-cfb?? redir use this protocal)

In this case, why I still need use dnscrypt?

thanks.

[zw963]

previous, without chinadns, I could not access facebook, twitter etc .. But can access google with ss-redir.

current with chinadns, my route worked well for a transparency proxy.

The problem is: why i need dnscrypt? Is there exist some case I must use it?

[tony1016]

U don't need to unless u can't get real ip from chinadns

[zw963]

@tony1016

u can't get real ip from chinadns

This caused by ISP ? or VPS ? or others things.

thanks

[tony1016]

eg.sometimes I can't connect to 8.8.8.8 temporarily。so it returns a pulluted ip from 114

[s7lx]

@zw963 look at this article http://gfwrev.blogspot.com/2009/11/gfwdns.html

[zw963]

@tony1016 , @s7lx , thanks a lot.

I read though that article, basically understood the key idea with it.

Though, I still exist some doubt about it.

eg.sometimes I can't connect to 8.8.8.8 temporarily。so it returns a pulluted ip from 114

My problem is : if meet this case, with dnscrypt, could any help ?

Another problem is curreent working process, where DNS udp package to though? It keep secret to G----F----W ? why not use chinaDNS, I could not access facebook?

ss-redir -c /opt/etc/shadowsocks.json -l 1081 + iptables REDIRECT chinadns -l /opt/etc/chinadns_iplist.txt -c /opt/etc/chinadns_chnroute.txt -p 5356 dnsmasq with config: server=/#/127.0.0.1#5356

ss-redir with aes-256-cfb crypted.

[zw963]

Hi, I found i change chinadns to following arguments, it not worked.

-l /opt/etc/chinadns_iplist.txt -c /opt/etc/chinadns_chnroute.txt -p 5356 -s 114.114.114.114,8.8.8.8

In fact, -s 114.114.114.114,208.67.222.222:443 not work well for me too.

But default value 114.114.114.114,208.67.222.222:443,8.8.8.8 is worked as expect.

I think maybe I need start up a dnscrypt server in my VPS, to remove the use of 208.67.222.222 (seem it this is opendns ip address)

[zw963]

Could anyone explain about What the 208.67.222.222:443 is? thanks.

Is this is a public dnscrypt dns server? I don't install dnscrypt package in my route ...

[zw963]

@zw963 you need to set upstream server for chinadns as dnscrypt.

chinadns need more than one dns server as upstream server.

so you can run chinadns like this:

chinands -l chinadns_iplist.txt -c chnroute.txt -s 114.114.114.114, -p 5356

then dnscrypt will be upstream server for chinadns

Thanks, As @s7lx 's reply, I settings dnscrypt as chinadns upstream, it worked well for me.

Though, It not significantly performance improved compare with OpenDNS 208.67.222.222:443 ... Even more badly ... I don't know why ...

Anyway, Thanks all.