Last active
April 1, 2018 13:44
-
-
Save winguse/9a1ad41021d63c173dd52a39256861d4 to your computer and use it in GitHub Desktop.
This is a script helps you anti dns spoofing in China. Currently GFW will return two wrong DNS packages in advance of correct one for blocked domain. And They don't share the same TTL in IP header which we can drop it base on this feature. This can also solve the problem when query the DNS via TCP (you will drop the RST from GFW but it looks the…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This is a script helps you anti dns spoofing in China. | |
# Currently GFW will return two wrong DNS packages in advance of correct one for blocked domain. | |
# And They don't share the same TTL in IP header which we can drop it base on this feature. | |
# This can also adjust the problem when query the DNS via TCP: | |
# You will drop the RST from GFW but it looks the remote DNS will also receive RST, | |
# so there will be 50% chance still get blocked. | |
dns=$1 | |
sleep_time=30 | |
ttl=0 | |
if [ "$dns" == "" ]; then | |
echo Usage: $0 DNS_SERVER | |
exit | |
fi | |
function ttl_action { | |
if [ "$1" == "D" ]; then | |
if [ "$2" == "0" ]; then | |
return 0 | |
fi | |
fi | |
echo iptable action: $1, ttl: $2 | |
iptables -$1 INPUT -s $dns -m ttl ! --ttl-eq $2 -j DROP | |
iptables -t mangle -$1 PREROUTING -s $dns -m ttl ! --ttl-eq $2 -j DROP # this works for router | |
} | |
function cleanup { | |
echo cleanup.. | |
ttl_action D $ttl | |
} | |
function interrupt { | |
exit | |
} | |
trap interrupt INT | |
trap cleanup EXIT | |
while true; do | |
new_ttl=`ping -c 1 $dns | grep ttl= | sed -E 's/.*ttl=(\d+).*/\1/'` | |
if [ "$ttl" != "$new_ttl" ]; then | |
echo update iptables | |
ttl_action D $ttl | |
ttl=$new_ttl | |
ttl_action I $ttl | |
else | |
echo ttl has no update | |
fi | |
sleep $sleep_time | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment