DNS Self Healing Setup Guide
با ترمیم DNS، به اینترنت_سفید متصل بشوید!
ستون اصلی فیلترینگ DNS هست. با ترمیم سازی DNS می تونید مستقیما به تمام ای پی ها متصل بشوید. به خاطر سیستم طبقاتی خیلی از آی پی ها فیلتر نیستند.
اکثر سایت ها با ای پی ایران باز شدند!
https://x.com/SarinaNeverDies/status/2008955301006070004
https://x.com/SarinaNeverDies/status/2009149111338156244
مام ای پی های DNS مسوم سازی شدند.
تمام DOH ها فیلتر شدند.
اختلال در پروتکل UDP باعث از کار افتادن یا کندی شدید سیستم DNS میشود.
آی پی های پشت DNS فیلتر نیستند.
سرور DOH با پورت ۴۴۳ بسازید،
یا زنجیره DOH خارجی - داخلی بسازید.
مثال از مشکل
می خواهم به زبان ساده توضیح بدهم
این دامنه مهسانت هست:
ping mahsanet.com
PING mahsanet.com (10.10.34.35) 56(84) bytes of data.
وقتی پینگ می گیرید جای دیگری رو نمایش می دهد.
حالا میریم از DOH می پرسیم. یعنی با http ریکوست رمز شده می فرستیم و می پرسیم آی پی این دامنه چیست؟
./find.sh mahsanet.com Processing: mahsanet.com... [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0[proxychains] Strict chain ... 127.0.0.1:2080 ... cloudflare-dns.com:443 ... OK 100 186 100 186 0 0 456 0 --:--:-- --:--:-- --:--:-- 457 Success: mahsanet.com is now mapped to 76.76.21.21 in dnsmasq
ping mahsanet.com PING mahsanet.com (76.76.21.21) 56(84) bytes of data. 64 bytes from 76.76.21.21 (76.76.21.21): icmp_seq=1 ttl=239 time=77.4 ms 64 bytes from 76.76.21.21 (76.76.21.21): icmp_seq=2 ttl=239 time=79.4 ms 64 bytes from 76.76.21.21 (76.76.21.21): icmp_seq=3 ttl=239 time=68.4 ms 64 bytes from 76.76.21.21 (76.76.21.21): icmp_seq=4 ttl=239 time=77.9 ms 64 bytes from 76.76.21.21 (76.76.21.21): icmp_seq=5 ttl=239 time=66.9 ms
حالا پینگ اش رو داریم که درست شده.
How install DNS masq on Ubuntu
ssh connection
resolv.conf configuration
DNSmasq configuration
sudo vim /etc/dnsmasq.conf
# Listen on loopback and the physical interface
interface=lo
interface=eth0
local-service
# 2. Security & Leak Prevention
# Prevent ISP DNS from leaking in through /etc/resolv.conf
no-resolv
# Force dnsmasq to follow your rule order (vital for proxying)
strict-order
# 3. Performance
cache-size=5000
no-negcache
# Verify DNSSEC if your upstream supports it
proxy-dnssec
# 4. LAN & Domain logic
expand-hosts
domain=lan
no-hosts
# Logging (optional — logs go to journal/syslog by default)
log-queries
log-facility=/var/log/dnsmasq.log
# --- EXTERNAL CONFIGS ---
conf-dir=/etc/dnsmasq.d/,*.conf
## restarts DNSmasq and systemd-resolved
```bash
sudo systemctl restart systemd-resolved
sudo systemctl restart dnsmasq
Create the Split-DNS File
sudo vim /etc/dnsmasq.d/99-split-dns.conf
# --- STRATEGY A: High Security (Proxy via Cloudflared/Nekobox) ---
# Use this for blocked or restricted services
server=/youtube.com/127.0.0.1#5053
server=/googlevideo.com/127.0.0.1#5053
server=/ytimg.com/127.0.0.1#5053
server=/ggpht.com/127.0.0.1#5053
server=/gstatic.com/127.0.0.1#5053
server=/googleapis.com/127.0.0.1#5053
server=/instagram.com/1.0.0.1
server=/instagram.com/1.1.1.1
server=/static.cdninstagram.com/1.1.1.1
server=/scontent.cdninstagram.com/1.0.0.1
# --- STRATEGY B: Content Unblocking (Shecan/403.online) ---
# Use this for developer tools that block your IP (Docker/Copilot)
server=/shecan.ir/178.22.122.100
server=/docker.com/178.22.122.100
server=/githubcopilot.com/178.22.122.100
server=/notebooklm.google.com/178.22.122.100
server=/gemini.google.com/178.22.122.100
# --- STRATEGY C: Regional/Local (Direct) ---
# Use standard Google DNS for local .ir domains to ensure speed
server=/ir/8.8.8.8
server=/ir/8.8.4.4
# --- STRATEGY D: Global Fallback ---
# If no rule matches, try these in order
server=1.1.1.1
server=8.8.8.8
Disable systemd-resolved to avoid conflicts
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart dnsmasq
UFW Firewall configuration
# Allow DNS over both UDP and TCP
sudo ufw allow 22/tcp
sudo ufw allow 53/tcp
sudo ufw reload
sudo ufw enable
sudo ufw reload
sudo ufw reload
sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
53/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
Find
#!/bin/bash
# 1. Use the first argument as the domain
DOMAIN=$1
CONF_FILE="/etc/dnsmasq.d/dynamic_redirects.conf"
# Check if a domain was actually provided
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 domain.com"
exit 1
fi
echo "Processing: $DOMAIN..."
# 2. Fetch the real IP via DoH (using your proxychains setup)
RESPONSE=$(proxychains curl -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=$DOMAIN&type=A")
# 3. Extract the IP address
REAL_IP=$(echo "$RESPONSE" | jq -r '.Answer[] | select(.type==1) | .data' | head -n 1)
if [ -z "$REAL_IP" ] || [ "$REAL_IP" == "null" ]; then
echo "Error: Could not fetch IP for $DOMAIN"
exit 1
fi
# 4. Update or Add the entry in dnsmasq config
# If domain exists, update it. If not, append it.
if grep -q "address=/$DOMAIN/" "$CONF_FILE"; then
sudo sed -i "s|address=/$DOMAIN/.*|address=/$DOMAIN/$REAL_IP|" "$CONF_FILE"
else
echo "address=/$DOMAIN/$REAL_IP" | sudo tee -a "$CONF_FILE" > /dev/null
fi
# 5. Reload dnsmasq
# SIGHUP is faster than restart as it keeps the service running
sudo systemctl restart dnsmasq
echo "Success: $DOMAIN is now mapped to $REAL_IP in dnsmasq"
dynamic_redirects
for running DOH you need a VPN or Proxy like proxychains installed on your server. because cloudflare-dns.com is blocked in some countries.
sudo touch /etc/dnsmasq.d/dynamic_redirects.conf
#!/bin/bash
# Configuration
LOG_FILE="/var/log/dnsmasq.log"
CONF_FILE="/etc/dnsmasq.d/dynamic_redirects.conf"
TARGET_IP="10.10.34.35" # 10.10.34.36
# 1. Extract unique domains that resolved to the target IP from the log
DOMAINS=$(sudo grep "is $TARGET_IP" "$LOG_FILE" | awk '{print $6}' | sort -u)
if [ -z "$DOMAINS" ]; then
echo "No domains found resolving to $TARGET_IP in logs."
exit 0
fi
echo "Found domains to fix: "
echo "$DOMAINS"
echo "------------------------------"
# 2. Clear the dynamic config file or prepare it
# > "$CONF_FILE" # Uncomment if you want to wipe the file and start fresh each time
for DOMAIN in $DOMAINS; do
echo -n "Fetching real IP for $DOMAIN... "
# 3. Fetch real IP via DoH (using proxychains as per your setup)
RESPONSE=$(proxychains curl -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=$DOMAIN&type=A")
# 4. Extract IP
REAL_IP=$(echo "$RESPONSE" | jq -r '.Answer[] | select(.type==1) | .data' | head -n 1)
if [ -n "$REAL_IP" ] && [ "$REAL_IP" != "null" ]; then
# 5. Update the dnsmasq config
# Remove old entry if it exists and append the new one
sudo sed -i "/address=\/$DOMAIN\//d" "$CONF_FILE" 2>/dev/null
echo "address=/$DOMAIN/$REAL_IP" | sudo tee -a "$CONF_FILE" > /dev/null
echo "DONE ($REAL_IP)"
else
echo "FAILED (No record found)"
fi
done
# 6. Reload dnsmasq
sudo systemctl restart dnsmasq
echo "------------------------------"
echo "Dnsmasq reloaded with real IP addresses."
DOH
1. Download and Install:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
2. Create a Manual Systemd Service:
Since we only need a DNS proxy (not a web tunnel), we create a custom service to listen on port 5053.
Paste the following:
[Unit]
Description=Cloudflare DNS over HTTPS Proxy (via Nekobox)
After=network.target
[Service]
# We remove proxychains and use environment variables instead
# Nekobox is listening on 127.0.0.1:2080 as an HTTP/SOCKS proxy
Environment="HTTPS_PROXY=http://127.0.0.1:2080"
Environment="HTTP_PROXY=http://127.0.0.1:2080"
# Note: We use the direct path to cloudflared without the proxychains prefix
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://8.8.8.8/dns-query
Restart=always
User=root
[Install]
WantedBy=multi-user.target
3. Start the Bridge:
sudo systemctl daemon-reload
sudo systemctl enable cloudflared-doh
sudo systemctl start cloudflared-doh
v2ray Config
{
"log": {
"loglevel": "warning",
"dnsLog": true
},
"dns": {
"tag": "dns-internal",
"servers": [
"tcp://YOUR_SERVER_IP:53"
]
},
"inbounds": [
{
"protocol": "socks",
"tag": "socks-in",
"port": 10808,
"listen": "0.0.0.0",
"settings": { "udp": true },
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct",
"settings": { "domainStrategy": "UseIP" }
},
{
"protocol": "dns",
"tag": "dns-out"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"inboundTag": ["dns-internal"],
"outboundTag": "direct"
},
{
"type": "field",
"port": 53,
"outboundTag": "dns-out"
}
]
}
}
Tips
Enable DOH on chorome extensions settings for better results.