-
-
Notifications
You must be signed in to change notification settings - Fork 470
DNS Configuration
Currently, this tun2socks project is designed to perform a simply task:
TCP/UDP packets <---(L3)---> [TUN Device <-> User-space TCP/IP stack] <---(L4)---> [Proxy Server]
Which accepts incoming TCP/UDP packets through a TUN interface, and proxifies them through a proxy server.
The point is that tun2socks is not designed for DNS resolution, so users are responsible for setting up or configuring their own DNS servers.
To set up DNS in Linux, see:
To set up DNS in macOS, see:
- https://support.apple.com/en-ca/guide/mac-help/mh14127/mac
- https://osxdaily.com/2015/06/02/change-dns-command-line-mac-os-x/
To set up DNS in Windows, see:
For example, to set the DNS server address on a specified network interface to `8.8.8.8', do the following:
netsh interface ipv4 set dns name="<Network Adapter>" static 8.8.8.8
Sometimes some applications or programs may not follow the system's DNS settings, for example, they may have hardcoded their specified DNS server address into their program and bypass the system's name server resolution flow. In this case, DNS hijacking can be used to solve this kind of problem.
Please note that this method only applies to UDP-based DNS resolution, some TCP-based or DNS-over-HTTPS (DOH) resolutions can never be hijacked due to their security protections.
Using iptables
to redirect all DNS query to 8.8.8.8
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;
For example, we can redirect only cloudflare DNS query to 8.8.8.8
iptables -t nat -A PREROUTING -p udp -d 1.1.1.1,1.0.0.1 --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;
Since the above two systems do not have iproute2
support, DNS hijacking is relatively complicated on such systems. In macOS, Packet Filter (pf) could be used as an alternative, but I have not tested it yet.
Therefore, it is recommended to use mitm-based or customized proxy servers to implement proxy server-side DNS hijacking.
V2ray project can easily be adopted for this purpose, see this discussion: v2fly/v2ray-core#2441