How to prevent Brook's Fake DNS from not working
https://www.txthinking.com/talks/
Updated at: 2023-05-13
cloud@txthinking.com
What is the purpose of Fake DNS
Brook gets the domain name through Fake DNS, and then does some tasks based on the domain name, such as specifying IP with hosts, etc.
The TTL of the Fake DNS is 60 seconds, so there will be no problem under normal circumstances, but some apps that do not comply with the standard may cache it for a longer time. Instagram should be criticized, and a script can be used to prevent the specified domain name from using the Fake DNS.
How Fake DNS works
- The Brook client first configures the system DNS
- When other applications query the domain name, they will query the system DNS port 53 through the UDP protocol
- Brook intercepts data on UDP port 53 and returns a Fake IP to the queryer
- After the inquirer gets the Fake IP, it will continue to connect to this IP
- After Brook gets the IP to be connected at this time, if it finds that it is a Fake IP, he will convert the IP into a domain name. Because Brook keeps a dictionary of Fake IP and domain name mapping in memory
- Then Brook passes the domain name address to the server and lets the server make the connection
It can be seen that the local does not know the real IP address to be connected throughout the process.
The above is just the simplest process to understand how Fake DNS works. The actual process also includes rule scripts and more.
How to prevent Fake DNS from not working
We know above that Fake DNS works by intercepting UDP port 53, so we need to avoid applications or systems from querying domain names in other ways.
Turn off system secure DNS
Android
Settings -> Network & internet -> Private DNS -> Off
Windows
Settings -> Network & Internet -> Your Network -> DNS settings -> Edit -> Preferred DNS -> Unencrypted only -> 8.8.8.8
iOS
continue reading below
macOS
continue reading below
Turn off browser secure DNS
Chrome Mobile
Settings -> Privacy and security -> Use secure DNS -> Off
Chrome Desktop
Settings -> Privacy and security -> Security -> Use secure DNS -> Off
Avoid Upgrading from DNS to Secure DNS
That is to say, it is clear that your system DNS is configured with normal DNS, but the final query uses secure DNS.
This is because the system or browser will initiate a query to the system DNS to ask whether DOH is supported, and if it is supported, it will be upgraded to use DOH to query. For example 8.8.8.8
brook dnsclient --dns 8.8.8.8:53 -d _dns.resolver.arpa -t SVCB
;; opcode: QUERY, status: NOERROR, id: 52504
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;_dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn="dot"
_dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn="h2,h3" dohpath="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google. 86400 IN A 8.8.8.8
dns.google. 86400 IN A 8.8.4.4
dns.google. 86400 IN AAAA 2001:4860:4860::8888
dns.google. 86400 IN AAAA 2001:4860:4860::8844
As you can see, 8.8.8.8 supports DOT and DOH.
Don't worry, if Fake DNS is enabled, the Brook client will help you block this SVCB query
Prevent system or browser from directly querying secure DNS
That is to say, it is clear that your system DNS is configured with ordinary DNS, even if there is no upgrade query, but the final query is the secure DNS.
This is because the system and browser have built-in information about some secure DNS. For example, if it find that it is 8.8.8.8 and know that this DNS also supports DOH, then it use DOH directly. At this point we can block these connections with script
text := import("text")
f := func() {
if in_dnsquery {
if in_dnsquery.domain == "dns.google" {
return { "block": true }
}
return
}
if in_address {
m := in_address
if m.ipaddress && (m.ipaddress == "8.8.8.8:853" || m.ipaddress == "8.8.8.8:443" || m.ipaddress == "8.8.4.4:853" || m.ipaddress == "8.8.4.4:443" || m.ipaddress == "[2001:4860:4860::8888]:853" || m.ipaddress == "[2001:4860:4860::8888]:443" || m.ipaddress == "[2001:4860:4860::8844]:853" || m.ipaddress == "[2001:4860:4860::8844]:443") {
return { "block": true }
}
if m.domainaddress && text.has_prefix(m.domainaddress, "dns.google:") {
return { "block": true }
}
return
}
}
out := f()
Configure a System DNS that does not support DOH
Of course, you can also configure a System DNS that does not support DOH, such as using brook to create a DNS
brook dnsserver --listen :53
Configure a non-existent System DNS
You might say, There is no real network connection to the System DNS in the whole process, just fill in a non-existing DNS.
This is true for A/AAAA, but if it is MX or other types, it will initiate a real network connection to the DNS, so it is still necessary to fill in a real DNS.