DNS Configuration

Set Up DNS

Currently, this tun2socks project is designed to perform a simply task:

TCP/UDP packets  <---(L3)--->  [TUN Device <-> User-space TCP/IP stack]  <---(L4)--->  [Proxy Server]

Which accepts incoming TCP/UDP packets through a TUN interface, and proxifies them through a proxy server.

The point is that tun2socks is not designed for DNS resolution, so users are responsible for setting up or configuring their own DNS servers.

To set up DNS in Linux, see:

• https://www.cyberciti.biz/faq/howto-linux-bsd-unix-set-dns-nameserver/

To set up DNS in macOS, see:

• https://support.apple.com/en-ca/guide/mac-help/mh14127/mac
• https://osxdaily.com/2015/06/02/change-dns-command-line-mac-os-x/

To set up DNS in Windows, see:

• https://tweaks.com/windows/40339/configure-ip-address-and-dns-from-command-line/

For example, to set the DNS server address on a specified network interface to `8.8.8.8', do the following:

netsh interface ipv4 set dns name="<Network Adapter>" static 8.8.8.8

Hijack DNS

Sometimes some applications or programs may not follow the system's DNS settings, for example, they may have hardcoded their specified DNS server address into their program and bypass the system's name server resolution flow. In this case, DNS hijacking can be used to solve this kind of problem.

Please note that this method only applies to UDP-based DNS resolution, some TCP-based or DNS-over-HTTPS (DOH) resolutions can never be hijacked due to their security protections.

Linux

Using iptables to redirect all DNS query to 8.8.8.8

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;

For example, we can redirect only cloudflare DNS query to 8.8.8.8

iptables -t nat -A PREROUTING -p udp -d 1.1.1.1,1.0.0.1 --dport 53 -j DNAT --to 8.8.8.8:53;
iptables -t nat -A POSTROUTING -p udp -d 8.8.8.8 --dport 53 -o eth3 -j MASQUERADE;

Windows and macOS

Since the above two systems do not have iproute2 support, DNS hijacking is relatively complicated on such systems. In macOS, Packet Filter (pf) could be used as an alternative, but I have not tested it yet.

Therefore, it is recommended to use mitm-based or customized proxy servers to implement proxy server-side DNS hijacking.

V2ray project can easily be adopted for this purpose, see this discussion: v2fly/v2ray-core#2441