Modify BIND9 to implement TCP DNS

Source: Internet
Author: User

Recently coincided with a square festival, Google's foreign sites have been the state of the wall, presumably everyone knows.

In fact, I have been using SSH socket agent to climb the ladder, the effect is good, plus the school has the original IPV6 support, even if you do not go to the agent generally can on the major websites. Only one point, whether it is a browser or operating system, DNS uses the UDP protocol, and UDP is obviously unable to walk the socket proxy, so for YouTube, Facebook these sites due to the domain name resolution problem, still cannot access.

However, there is always a solution to the problem.

Due to the use of UDP DNS, many people do not know that in fact, DNS is also supporting the TCP protocol, Kung Fu network only for UDP DNS hijacking and pollution, TCP DNS can be unblocked.

The only problem is that the browser, operating system, and so on are not directly using TCP DNS, and I've been using tcp-dns-proxy to solve this problem for some time. This is a Python-based applet, you can connect to the DNS server through TCP, and listen to the UDP53 port in the local, to achieve the transfer of TCP DNS, the program simple operation convenient, more recommended.

However, Tcp-dns-proxy itself has some problems, such as the lack of a complete caching mechanism, resulting in slower query speed, program stability and anti-concurrency generally. So I think I can have a more stable solution?

Finally, Bind is selected as the old DNS server, the use of forward features can be relatively easy to implement DNS forwarding. The following modifications are configured under Ubuntu 14.04:

/etc/bind/named.conf.options...options {directory "/var/cache/bind";  If There is a firewall between your and nameservers you want//to talk to, you could need to fix the firewall to allow  Multiple//ports to talk. See HTTP://WWW.KB.CERT.ORG/VULS/ID/800113//If your ISP provided one or more IPs addresses for stable//nameservers    Probably want to use them as forwarders.    Uncomment the following block, and insert the addresses replacing//The all-0 ' s placeholder.    Forward only;        Forwarders {;;    };    allow-query {any;    }; ========================================================================//If BIND logs error messages about the Roo  T key being expired,//You'll need to update your keys.    See Https://    Dnssec-validation Auto;    Auth-nxdomain No; # conform to RFC1035 listen-on-v6 {anY };}; ...

This is not enough, we need a TCP DNS forwarding (proxy), but tested bind will prefer UDP parsing recursive query, after searching for Google, viewing official documents, viewing the source code, I found that the configuration to modify this path is not feasible.

There is no way, only to change the source code. But fortunately, the recent embedded curriculum experiment I tried to transplant Nginx to the arm platform, for clipping code is still psychologically prepared.

After several hours of hard work, I looked at several important. c files, and finally I determined the function of BIND9 (which is chosen BIND-9.10.0-P1) to issue the query, which is the Fctx_query function on line 1403th of the lib/dns/resolver.c file. Excerpts from 1446 to 1451 of these lines are as follows:

    1. Query->mctx = fctx->mctx;
    2. Query->options = options;
    3. Query->attributes = 0;
    4. Query->sends = 0;
    5. Query->connects = 0;
    6. Query->dscp = addrinfo->dscp;

where query->options = options; the options in this line use a bitwise operation to store a variable dns_fetchopt_tcp that uses a TCP connection, and what we need to do is change the line to:

    1. Query->options = Options | dns_fetchopt_tcp;

Forcing bind to use TCP for recursive queries. After the compilation, overwrite the binary files can be, here will not repeat. The effect is as follows:

As can be seen, the 1th, 36 message is the client query BIND server, UDP protocol, other messages for bind query, for TCP messages (color different).

Modify BIND9 to implement TCP DNS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.