Comments (26)
+1 on this.
from dnsmasq-china-list.
That's why I thought 114DNS didn't support eDNS. It turns out that it's done a worse job than merely not supporting it.
But what can I take as a proof that a DNS server supports this correctly?
from dnsmasq-china-list.
@lilydjwg I can conclude it supports eDNS in a wrong way because it gives me two answer when I dig and specify the same client-subnet IP locally and remotely.
Somehow it's a bit more difficult to prove one's correctness. I've also done more testing by control variables to give a more convincing proof together with @phoenixlzx :).
We use different ISP's IP, e.g. China Telecom, China Unicom and BGP as specified +client=
(use +subnet=
if you are using dig >= 9.10) IP when testing with dig
. @phoenixlzx provided an hostname that would resolve separately according to request's ISP. Sometimes some DNS that supports eDNS gives inaccurate answer as a result of outdated IP databases but it's okay.
from dnsmasq-china-list.
@legendtang I see.
I tried some DNS servers with +subnet=
. Some of them don't have ; CLIENT-SUBNET:
before ;; QUESTION SECTION:
, some of them even don't have the EDNS
section. Does that mean that they don't support CLIENT-SUBNET
or EDNS?
from dnsmasq-china-list.
@lilydjwg Exactly.
from dnsmasq-china-list.
@legendtang it's amazing that only Google supports it....
from dnsmasq-china-list.
I don't have a ecs-enabled dig on hand, but AliDNS is still too slow as far as I have tested for the past a few months. Is CNNIC, Baidu, or DNSPod capable for this?
from dnsmasq-china-list.
@lilydjwg I think AliDNS somtimes supports this kind of technology. Sometimes it return answers without EDNS header though the answer is right according to my test. You can do some testing later.
@felixonmars Unfortunately, CNNIC, Baidu, or DNSPod are not available for EDNS. Why do you think AliDNS is slow? Mine is fine.
from dnsmasq-china-list.
$ time dig +tcp @223.5.5.5 www.baidu.com > /dev/null
real 0m4.954s
user 0m0.003s
sys 0m0.003s
$ time dig +tcp @223.5.5.5 www.qq.com > /dev/null
real 0m7.328s
user 0m0.007s
sys 0m0.003s
$ time dig +tcp @223.5.5.5 www.10010.com > /dev/null
real 0m7.105s
user 0m0.003s
sys 0m0.007s
compared with
$ time dig +tcp @114.114.114.114 www.baidu.com > /dev/null
real 0m0.082s
user 0m0.003s
sys 0m0.007s
$ time dig +tcp @114.114.114.114 www.qq.com > /dev/null
real 0m0.073s
user 0m0.007s
sys 0m0.003s
$ time dig +tcp @114.114.114.114 www.10010.com > /dev/null
real 0m0.073s
user 0m0.003s
sys 0m0.003s
My ISP pollutes all UDP DNS queries, so I have to use TCP. But even with UDP, two of my servers in Beijing have the same slow response problem with AliDNS. The response time varies from 0.1s to 30s, and introduces too much wait (Looking up...) for everyday use.
from dnsmasq-china-list.
@felixonmars I've done those tests on my server (Canton) and locally (Wuhan). On the contrary, 114DNS reponses 2 or 3 times more slowly than AliDNS, though if proceeding with TCP queries AliDNS seems to be a little slower.
More investigates needed.
from dnsmasq-china-list.
:/ That's really unfortunate. 20ms or 120ms doesn't make too much difference to me, but 5s on average is too much...
from dnsmasq-china-list.
UPDATED 16.04.30
Status of edns-client-subnet
in China
Table: DNS providers that support edns headers in China
DNS Provider | 114DNS | DNSPod | AliDNS | Google Public DNS |
---|---|---|---|---|
IPv4-prefix support | /24 ~ /32 | /24 ~ /32 | /32 | /24 ~ /32 |
Whether to reponse based on client subnet | No | Only for /32 and not accurate enough | Yes | Yes |
Dilemma :/
from dnsmasq-china-list.
You can still use the dnsmasq-update-china-list ali
, or make SERVER=223.5.5.5 dnsmasq
if you like :P
from dnsmasq-china-list.
@legendtang @felixonmars It seems that DNSPod+ now support edns-client-subnet
(119.29.29.29,182.254.116.116),but the judgement on IP's location is less accurate than AliDNS.
from dnsmasq-china-list.
@BROBIRD As is stated above, DNSPod+ does support its header and support /32
only but according to my research it even fails to judge China Telecom and China Unicom.
I haven't found a case gives even one accurate result. You may post yours.
from dnsmasq-china-list.
@lilydjwg because Google invented it and Google is the one who actively pushes this technique to IETF to standardize it.
Google created the problem (pubic resolvers mess up DNS latency) and then created a solution for it (EDNS client subnet).
from dnsmasq-china-list.
@legendtang "114DNS does support CLIENT-SUBNET header. However, it only returns with answers judged by requestor's IP rather than specified CLIENT-SUBNET IP. This would give bad routes from internal CDNs, "
I believe Google public DNS does the same thing, at least 1.5 year ago. They have reasons not to forward ECS (EDNS Client Subnet) query for clients (I noticed in your table, you said they were support it on Apr 30th. I am actually surprised by that). I would expect they just put the requestor's IP (instead of IP provided in ECS field from that requestor) in the edns-client-subnet field and send that to the authoritative DNS servers of the requested domain.
Can you elaborate on "This would give bad routes from internal CDNs" ? Or why do you want to ask public DNS resolvers to give you the answer that is not for your own (requestor) IP but a third IP?
In the standard case, public DNS resolvers will send the ECS query with the client IP to the authoritative name server of the requested domain, and it's up to that authoritative name server to provide the best IP for the client. So the logic is actually at the authoritative name server end, not public resolver. Example would be the 115.com case, if 115.com's authoritative name server doesn't support ECS, then no matter whether the public resolvers support it or not, the answer won't be optimized. I believe at least for google public DNS, it needs the authoritative name server of each individual domain to also support ECS, otherwise, it doesn't work. (Maybe things are different in China, correct me if I am wrong.)
So if you believe 115.com's authoritative name server supports ECS, then you can try send your query directly to their autho name server instead of public resolver like 114 or 8888.
However, there are cases that the authoritative name servers of CDNs only serve ECS from whitelisted IPs. Example, if you are 8.8.8.8 then akamai will honor the client IP in the ECS query from you. But if you are somebody Akamai doesn't know, it will just ignore the ECS field of your query.
So back to the 115.com in your test. A few things to check:
- Do public resolvers forward your ECS query?
- Does 115.com authoritative name server support ECS?
- If 2 is true and 1 is false, you can directly send the ECS query to 115.com authoritative name servers to see if they honor it.
from dnsmasq-china-list.
Can you elaborate on "This would give bad routes from internal CDNs" ? Or why do you want to ask public DNS resolvers to give you the answer that is not for your own (requestor) IP but a third IP?
The project dnsmasq-china-list
is not just for personal usage. It has enabled the ability to create unpolluted public DNS server. However, here is the problem. The requestor's public IP varies from different ISPs and areas. By default, one's public DNS server would not forward and send ECS query unless your DNS solution supports the technique. At that case, your public DNS server would not send ECS query but as we know most well-known public resolvers are anycast servers, so your upstream DNS would still give you best result based on your server IP, probably not the best for requestor's IP. But one's individual public server cannot be anycast one, so we need to forward client IP, which is a third-party IP indeed.
Fortunately, popular open source DNS solutions have implemented EDNS standard, which let us profit from ECS query forward. Even requestor is from worldwide, one can still get accurate result from a DNS server that supports EDNS. That why we need upstream resolvers to give correct ECS query result.
However, there are cases that the authoritative name servers of CDNs only serve ECS from whitelisted IPs. Example, if you are 8.8.8.8 then akamai will honor the client IP in the ECS query from you. But if you are somebody Akamai doesn't know, it will just ignore the ECS field of your query.
You are right. But our own DNS server is not a authoritative name server. Only thing it has to do is to forward ECS query and give back the EDNS result. And whitelist
doesn't not exist anymore. Google would automatically detect it now.
Here is the answer to your checklist.
1. Do public resolvers forward your ECS query?
Yes, check this part.
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 59.172.176.0/32/0
;; QUESTION SECTION:
2. Does 115.com authoritative name server support ECS?
115.com is not a very good example but makes sense. One of its authoritative name server is ns1.dnsv5.com
. Check the CLIENT-SUBNET
section.
dig 115.com @ns1.dnsv5.com +subnet=59.172.176.0/32
; <<>> DiG 9.10.3-P4-Ubuntu <<>> 115.com @ns1.dnsv5.com +subnet=59.172.176.0/32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8263
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 59.172.176.0/32/14
;; QUESTION SECTION:
;115.com. IN A
;; ANSWER SECTION:
115.com. 600 IN A 119.147.156.111
115.com. 300 IN A 119.147.156.110
115.com. 300 IN A 119.147.156.109
;; AUTHORITY SECTION:
115.com. 86400 IN NS ns1.dnsv5.com.
115.com. 86400 IN NS ns2.dnsv5.com.
;; Query time: 7 msec
;; SERVER: 183.60.57.192#53(183.60.57.192)
;; WHEN: Sat May 07 14:53:55 CST 2016
;; MSG SIZE rcvd: 150
I think I've made it clear. 114DNS's response just igores the ECS IP. Google and AliDNS do good job.
from dnsmasq-china-list.
Thanks for your reply!
So this dnsmasq-china-list will be used as a public resolver? Then the DNS lookup is actually going through two resolvers. Take 115.com and google as example, we have:
- requestor
- dnsmasq-china-list resolver
- Google public DNS
- 115.com authoritative DNS
Then, the DNS lookup goes 1->2->3->4.
What I don't understand is why not just 1->2->4 or 1->3->4?
from dnsmasq-china-list.
@xunfan
1->2->4 requires a large amount of extra effort to maintain the supported domain list and its authoritative DNS IP. That would be extremely hard for a open source project.
As for 1->3->4, Google DNS's reachibility is in bad shape in China, and polluted thus untrusted. Other DNS providers in China are also polluted. If a user use dnsmasq locally in Linux / Unix, he / she can skip the step 2.
from dnsmasq-china-list.
@legendtang
oh, so even using Public resolver, the answer can be polluted?
How is it polluted? Is it just bogus NXDomain or other kinds of pollution?
And also who pollutes it? Public DNS servers themselves (they probably can give bogus NXDomain) or requestors' local ISP?
Back to 1->2->3->4, how does 2 help prevent pollution if it gets answer from 3 which can be polluted already?
Thanks!
from dnsmasq-china-list.
How is it polluted? Is it just bogus NXDomain or other kinds of pollution?
Some are NXDomain and others are deliberate for some purpose.
And also who pollutes it? Public DNS servers themselves (they probably can give bogus NXDomain) or requestors' local ISP?
The majority mainly involves two kind of entities: ISP itself and the authority. ISP only puts some NXDomain. But the latter pollutes on the domestic egress traffic so that any queries on selected domains will return with fake result.
Back to 1->2->3->4, how does 2 help prevent pollution if it gets answer from 3 which can be polluted already?
In step 2, only domain listed in this project will be proceeded with internal DNS such as 114DNS, DNSPod+, etc. For other domains, we use unpolluted upstream resolvers or some other secured query method.
from dnsmasq-china-list.
OK, so the best use case is when 2 is deployed outside of mainland China. Then, when 1 is inside mainland China, 1 can get unpolluted DNS records for foreign websites; and if 1 is outside of mainland China, 1 can get better DNS records for Chinese websites listed in this project.
If 2 is deployed in mainland China, then the benefit is just filtering out bogus NXDomain? Thanks!
from dnsmasq-china-list.
@xunfan No, 2 forwards two different kind of resolvers, one for listed domains and the other for the rest. The benefits could be ensured. Deploying 2 abroad is not recommended since we need the DNS to maintain high availability. Any routes to somewhere abroad could be interfered.
from dnsmasq-china-list.
OK, I am confused again... I kind of figured out that there is another resolver in addition to 1, 2, 3, 4, as you mentioned you only use 3 for listed domains. let's say there is
5. unpolluted upstream resolver ( or secured query method)
So what is this 5 when both 1 and 2 are domestic? I used to think it's just the local DNS resolver from ISP of 2, but apparently not. are there any domestic resovlers that are unpolluted?
Also what is the secured query method? DNSSEC, DNS over https or some other ones?
from dnsmasq-china-list.
@xunfan Indeed, this is the complete structure:
1->2->3->4
->5-/
Apparently 5 is not domestic but through anycast so that we can tolerant the query speed. Using non-standard port for DNS query is fine; you can also try with DNScrypt as most domestic public resolver don't support DNSSEC for now, and won't support I think.
from dnsmasq-china-list.
Related Issues (20)
- Add ByteDance Domain HOT 2
- 添加 4ksj.com HOT 2
- Add kabapay.com HOT 1
- 希望能移除无效的域名 HOT 1
- 谷歌全文翻译被墙 HOT 1
- redirector.c.docs.google.com and redirector.c.drive.google.com DNS polluted HOT 1
- apple domain
- apple domain
- 西培学堂的域名暂未包含进去 HOT 1
- 移除freemdict HOT 1
- accelerated-domains.china.conf修改 HOT 2
- 编辑dnsmasq.conf后dns无法解析 HOT 4
- OneDrive不能登录跟同步,请大佬看看
- 存在多条冗余域名,筛除脚本可能有 bug HOT 6
- 请求添加3个微软直连域名 HOT 3
- Unbound's CNAME chasing causing Microsoft domains resovled to abroad CDN HOT 4
- can add knot resolver support? HOT 1
- 请教一下qui.heataek.com这个地址的问题 HOT 1
- 请移除 thwiki.cc HOT 1
- 领英被分流至国内 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnsmasq-china-list.