This is a script helps you anti dns spoofing in China. Currently GFW will return two wrong DNS packages in advance of correct one for blocked domain. And They don't share the same TTL in IP header which we can drop it base on this feature. This can also solve the problem when query the DNS via TCP (you will drop the RST from GFW but it looks the…

anti_dns_spoofing.sh

#!/bin/sh

# This is a script helps you anti dns spoofing in China.
# Currently GFW will return two wrong DNS packages in advance of correct one for blocked domain.
# And They don't share the same TTL in IP header which we can drop it base on this feature.
# This can also adjust the problem when query the DNS via TCP:
#   You will drop the RST from GFW but it looks the remote DNS will also receive RST,
#   so there will be 50% chance still get blocked.

dns=$1
sleep_time=30
ttl=0

if [ "$dns" == "" ]; then
	echo Usage: $0 DNS_SERVER
	exit
fi

function ttl_action {
	if [ "$1" == "D" ]; then
		if [ "$2" == "0" ]; then
			return 0
		fi
	fi
	echo iptable action: $1, ttl: $2
	iptables -$1 INPUT -s $dns -m ttl ! --ttl-eq $2 -j DROP
	iptables -t mangle -$1 PREROUTING -s $dns -m ttl ! --ttl-eq $2 -j DROP # this works for router
}

function cleanup {
	echo cleanup..
	ttl_action D $ttl
}

function interrupt {
	exit
}

trap interrupt INT
trap cleanup EXIT

while true; do
	new_ttl=`ping -c 1 $dns | grep ttl= | sed -E  's/.*ttl=(\d+).*/\1/'`
	if [ "$ttl" != "$new_ttl" ]; then
		echo update iptables
		ttl_action D $ttl
		ttl=$new_ttl
		ttl_action I $ttl
	else
		echo ttl has no update
	fi
	sleep $sleep_time
done