edns-client-subnet implementation

[clowwindy]

1. Only query DNS over VPN
2. Use edns-client-subnet to resolve domestic domains
3. Query directly for foreign domains

[jedisct1]

What? edns-client-subnet is terrible from a privacy standpoint.

[clowwindy]

The normal routing table configuration is like:

Home
  |---> direct <-----------> China IP range
  |---> VPN -> US server <-> Foreign IP range

If we rely only on DNS over VPN, if we try to query a domestic website like taobao.com over VPN, we'll probably get a CDN IP located in the US. That's slow. So here edns-client-subnet looks like our only option.

We don't really care much about privacy outside China. At least NSA won't block Facebook or YouTube. I think our users are not very likely to download pirated movies or watch porn video over VPN (which is what I believe most American people use VPN for).

And we don't have to use our real IP. It's OK to just use an IP within the same network.

[hgl]

Using edns-client-subnet can be optional if google DNS is queried directly. They already do that.

Are you planning to force users to use VPN with ChinaDNS? How does that work? Asking them to specify a VPN interface when starting ChinaDNS?

[clowwindy]

I believe Google DNS will be blocked completely in a few months. I'm just getting prepared for that.

[hgl]

Really? Where do you get that information? Can't wait for it to happen, making more people to realize we have a system that dwarfs NSA.

I personally think ChinaDNS shouldn't be dealing with VPN. All it should do is to provide an option to the user asking her if she wants to treat records returned from a foreign DNS as potentially being fake. She is expected to set up the VPN and the routing herself, and when she does that, the option should be turned off.

But that's just my 2 cents. Thank you for sharing this project and making our life easier. :)

BTW, I think it won't help much by simply disallowing discussing ChinaDNS's mechanism. Your source code is right in the open. I highly doubt the people in charge of the system are unable to understand it. Discussion would encourage an unbreakable solution (or at least very expensive for the system to counteract, like the scholarzhang project). Security through obscurity won't work well.

Hope I didn't offend you or anything. Just want to open the outside world to more people like you did. :)

[shangjiyu]

https://github.com/Pentiumluyu/ChinaDNS this fork version uses DNS compression pointer mutation instead of delay option which may accelerate dns resolve in some special?

[clowwindy]

@shangjiyu I think he could make this feature optional and send a pull request.

[wingerted]

I'm working on this at https://github.com/wingerted/ChinaDNS-C And I think I have get the right result for some test now...

[clowwindy]

@wingerted Great work! Do you have any problem when loading common China video sites (youku, tudou)]?

[wingerted]

I haven't deploy it on my router yet, since there is something strange. First I use edns-client-subnet on my host computer and query "www.taobao.com" via 8.8.8.8 with my VPS's(at American) IP. Well , that's good. It return ip from American. But when I use it on my VPS, and query "www.taobao.com" via 8.8.8.8 with my host computer's ip, it only return ip from American not from China. I use Dig tool with patch of edns-client-subnet, and it return the same result = =. And I can't get youku's ip of China too.

[clowwindy]

@wingerted Seems that the NS server of neither youku nor taobao support edns-client-subnet. We may have to wait.

[wingerted]

@clowwindy Maybe I could merge this feature to ChinaDns first ?

[clowwindy]

@wingerted We also need to do more than simply adding edns-client-subnet pseudo section. We may want to send two queries: one with +client=china_ip and another with +client=vps_ip (or without +client). Then we may want to add a strategy to pick one of the results.

Since we are not able to test the strategy at the moment, we'd better continue the work in the future.

[wingerted]

@clowwindy OK, I will keep on it~ By the way, it's the first step for me to join open source community. It's a pleasure discussing with you, Thanks ~。~

[clowwindy]

@wingerted Nice. Hope you'll enjoy it :)