Dns خود ترمیم گر
Self-Healing DNS
تذکر
روش DNS ترمیم گر آی پی ایران نمایش می دهد و درصورتی که ای پی به صورت مستقیم فیلترشده باشد نا کارامد هست
راهنمای جامع عبور از اختلالات و مسمومیت DNS (سیستم خود ترمیمگر)
اگر در هنگام پینگ گرفتن از سرویسهای گوگل یا تلگرام، آیپیهای مشکوکی مانند 10.10.34.35 10.10.34.36 مشاهده میکنید، سیستم شما با مسمومیت DNS مواجه شده است. در این حالت، اپراتور درخواستهای شما را شناسایی کرده و پاسخ جعلی ارسال میکند. این مقاله نحوه راهاندازی یک سیستم Split-DNS با استفاده از پروتکل DNS-over-HTTPS (DoH) را آموزش میدهد.
How install DNS masq on Ubuntu
Configure systemd-resolved to use DNS over TLS
sudo gedit /etc/systemd/resolved.conf
[Resolve] DNS=1.1.1.1 1.0.0.1 DNSOverTLS=yes FallbackDNS=8.8.8.8 DNSStubListener=no
resolv.conf configuration
sudo gedit /etc/resolv.conf
Edit the resolvconf head template:
sudo gedit /etc/resolvconf/resolv.conf.d/head
DNSmasq configuration
sudo gedit /etc/dnsmasq.conf
# 1. Network Settings
listen-address=127.0.0.1
bind-interfaces
# 2. Performance & Speed
# Query all upstream servers simultaneously and use the fastest response
all-servers
# Increase cache size (up to 10000 is safe for modern systems)
cache-size=2500
# Don't cache negative responses (failed lookups) to keep cache "clean"
no-negcache
# 3. Upstream Servers
server=1.1.1.1
server=9.9.9.9
# 4. LAN Optimization
# Expand local hostnames (allows you to reach devices by name)
expand-hosts
domain=lan
# Optional: ignore the local /etc/hosts file
no-hosts
# Logging (optional — logs go to journal/syslog by default)
log-queries
log-facility=/var/log/dnsmasq.log
restarts DNSmasq and systemd-resolved
Create the Split-DNS File
# Route shecan.ir specifically to its own DNS servers
server=/shecan.ir/178.22.122.100
server=/shecan.ir/185.51.200.2
# Block filtershekan.sbs by resolving it to a specific IP
address=/filtershekan.sbs/172.67.207.134
# change Gemeni dns
server=/gemini.google.com/10.139.177.21
# Forward Google Static assets (JS/CSS)
server=/gstatic.com/1.0.0.1
server=/googleapis.com/1.0.0.1
server=/notebooklm.google.com/178.22.122.100
server=/notebooklm.google.com/185.51.200.2
# Route all .ir domains specifically to Google
server=/ir/8.8.8.8
server=/ir/8.8.4.4
list of DNS
# Split-DNS configuration
#shecan
server=185.51.200.2
server=178.22.122.100
# Electro
server=78.157.42.100
server=78.157.42.101
# Pishgaman
server=5.202.100.100
server=5.202.100.101
# NextDNS
server=45.90.28.236
server=45.90.30.236
# Mullvad DNS
server=194.242.2.2
server=194.242.2.3
# begzar
server=185.55.226.26
server=185.55.225.25
test it
sudo systemctl restart dnsmasq
see logs
dig youtbe
dig +short youtube.com
10.10.34.35
Jan 1 18:10:40 dnsmasq[53278]: forwarded youtube.com to 1.1.1.1
Jan 1 18:10:40 dnsmasq[53278]: forwarded youtube.com to 8.8.8.8
Jan 1 18:10:40 dnsmasq[53278]: forwarded youtube.com to 127.0.2.1
Jan 1 18:10:40 dnsmasq[53278]: reply youtube.com is 10.10.34.35
clean cache
dig google.com | grep "Query time" dig googlevideo.com | grep "Query time"
find script
We need trusted DOH for finding best ip
sudo apt update
sudo apt install proxychains4
sudo touch /etc/dnsmasq.d/dynamic_redirects.conf
sudo chmod +x find.sh
./find.sh youtube.com
Processing: youtube.com...
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 187 100 187 0 0 185 0 0:00:01 0:00:01 --:--:-- 185
Success: youtube.com is now mapped to 142.251.35.174 in dnsmasq
cat /etc/dnsmasq.d/dynamic_redirects.conf
#!/bin/bash
# 1. Use the first argument as the domain
DOMAIN=$1
CONF_FILE="/etc/dnsmasq.d/dynamic_redirects.conf"
# Check if a domain was actually provided
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 domain.com"
exit 1
fi
echo "Processing: $DOMAIN..."
# 2. Fetch the real IP via DoH (using your proxychains setup)
RESPONSE=$(proxychains curl -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=$DOMAIN&type=A")
# 3. Extract the IP address
REAL_IP=$(echo "$RESPONSE" | jq -r '.Answer[] | select(.type==1) | .data' | head -n 1)
if [ -z "$REAL_IP" ] || [ "$REAL_IP" == "null" ]; then
echo "Error: Could not fetch IP for $DOMAIN"
exit 1
fi
# 4. Update or Add the entry in dnsmasq config
# If domain exists, update it. If not, append it.
if grep -q "address=/$DOMAIN/" "$CONF_FILE"; then
sudo sed -i "s|address=/$DOMAIN/.*|address=/$DOMAIN/$REAL_IP|" "$CONF_FILE"
else
echo "address=/.$DOMAIN/$REAL_IP" | sudo tee -a "$CONF_FILE" > /dev/null
fi
# 5. Reload dnsmasq
# SIGHUP is faster than restart as it keeps the service running
sudo systemctl restart dnsmasq
echo "Success: $DOMAIN is now mapped to $REAL_IP in dnsmasq"
find all 10.10.34.36 ips
sudo touch /etc/dnsmasq.d/dynamic_redirects.conf
sudo chmod +x fix_redirects.sh
./fix_redirects.sh
cat /etc/dnsmasq.d/dynamic_redirects.conf
#!/bin/bash
# Configuration
LOG_FILE="/var/log/dnsmasq.log"
CONF_FILE="/etc/dnsmasq.d/dynamic_redirects.conf"
TARGET_IP="10.10.34.35" # 10.10.34.35 10.10.34.36
# 1. Extract unique domains that resolved to the target IP from the log
DOMAINS=$(sudo grep "is $TARGET_IP" "$LOG_FILE" | awk '{print $6}' | sort -u)
if [ -z "$DOMAINS" ]; then
echo "No domains found resolving to $TARGET_IP in logs."
exit 0
fi
echo "Found domains to fix: "
echo "$DOMAINS"
echo "------------------------------"
# 2. Clear the dynamic config file or prepare it
# > "$CONF_FILE" # Uncomment if you want to wipe the file and start fresh each time
for DOMAIN in $DOMAINS; do
echo -n "Fetching real IP for $DOMAIN... "
# 3. Fetch real IP via DoH (using proxychains as per your setup)
RESPONSE=$(proxychains curl -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=$DOMAIN&type=A")
# 4. Extract IP
REAL_IP=$(echo "$RESPONSE" | jq -r '.Answer[] | select(.type==1) | .data' | head -n 1)
if [ -n "$REAL_IP" ] && [ "$REAL_IP" != "null" ]; then
# 5. Update the dnsmasq config
# Remove old entry if it exists and append the new one
sudo sed -i "/address=\/$DOMAIN\//d" "$CONF_FILE" 2>/dev/null
echo "address=/$DOMAIN/$REAL_IP" | sudo tee -a "$CONF_FILE" > /dev/null
echo "DONE ($REAL_IP)"
else
echo "FAILED (No record found)"
fi
done
# 6. Reload dnsmasq
sudo systemctl restart dnsmasq
echo "------------------------------"
echo "Dnsmasq reloaded with real IP addresses."
curl without dns
curl --insecure -s -H "Host: cloudflare-dns.com" -H "accept: application/dns-json" "https://104.16.249.249/dns-query?name=youtube.com&type=A"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"youtube.com","type":1}],"Answer":[{"name":"youtube.com","type":1,"TTL":284,"data":"142.250.186.174"}]}
curl --insecure -s -H "Host: cloudflare-dns.com" -H "accept: application/dns-json" "https://104.16.249.249/dns-query?name=freedium.cfd&type=A"
important paths
sudo gedit /etc/dnsmasq.d/dynamic_redirects.conf
sudo tail -f /var/log/dnsmasq.log
dig googlevideo.com | grep "Query time"
sudo gedit /etc/dnsmasq.d/99-split-dns.conf
sudo systemctl restart dnsmasq
Step 1: Install a DoH (DNS-over-HTTPS) Bridge
Download the .deb package (for 64-bit Intel/AMD)
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
Install it
sudo dpkg -i cloudflared-linux-amd64.deb
- Configure Cloudflared as a Proxy We want Cloudflared to listen on localhost port 5053 and send queries to Google or Cloudflare via HTTPS.
Create the config directory: sudo mkdir -p /etc/cloudflared
Create the config file: sudo gedit /etc/cloudflared/config.yml
Paste this inside:
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
- https://dns.google/dns-query
- https://1.1.1.1/dns-query
Install the service so it starts automatically:
sudo cloudflared service install
sudo systemctl start cloudflared
sudo systemctl status cloudflared
sudo gedit /etc/systemd/system/cloudflared-proxy.service
- Start the Proxy Now, activate this specific service. It will bypass all the "Tunnel-UUID" requirements.
sudo systemctl daemon-reload
sudo systemctl enable cloudflared-proxy
sudo systemctl start cloudflared-proxy
Verify it is running:
sudo systemctl status cloudflared-proxy
Create the file:
Ini, TOML
[Unit]
Description=Cloudflare DoH Proxy
After=network.target
[Service]
# This tells cloudflared to listen locally on 5053 and forward to Google/Cloudflare via HTTPS
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://8.8.8.8/dns-query
Restart=always
User=root
[Install]
WantedBy=multi-user.target
- Activate the Proxy This part does not require any Cloudflare login or "tunnel" credentials.
sudo systemctl daemon-reload
sudo systemctl enable cloudflared-doh
sudo systemctl start cloudflared-doh
Check if it is alive:
# It should show cloudflared listening on port 5053
sudo ss -lntp | grep 5053
sudo gedit /etc/dnsmasq.d/99-split-dns.conf
Replace your YouTube rules with these:
Code snippet
# 1. Drop the fake ISP IP if it leaks through
bogus-nxdomain=10.10.34.35
# 2. Route YouTube/Google through the encrypted tunnel on port 5053
server=/googlevideo.com/127.0.0.1#5053
server=/youtube.com/127.0.0.1#5053
server=/ytimg.com/127.0.0.1#5053
server=/ggpht.com/127.0.0.1#5053
# 3. Everything else can use normal DNS (or also use DoH)
server=1.1.1.1
This guide covers the complete journey of bypassing DNS hijacking and SNI filtering to restore YouTube performance in a restricted network environment.
Bypassing YouTube DNS Hijacking: A Complete Guide
If you are seeing IP addresses like 10.10.34.35 when you query YouTube domains, or if your videos are stuck on an infinite loading wheel, your ISP is likely performing DNS Poisoning and Deep Packet Inspection (DPI).
This article explains how to move from a hijacked state to a secure DNS-over-HTTPS (DoH) architecture using dnsmasq and cloudflared.
Phase 1: Identifying the Problem
The first sign of trouble is usually a "Fake IP" returned for Google/YouTube servers. ISPs intercept standard DNS queries (Port 53) and inject their own responses.
The Test:
Even if you change your DNS to 1.1.1.1 or 8.8.8.8, the ISP can still "see" the domain name in the plain-text packet and rewrite the answer.
Phase 2: Installing the Encrypted Bridge
To stop the ISP from reading your DNS queries, we must wrap them in an HTTPS tunnel. We use cloudflared as a local proxy.
1. Download and Install:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
2. Create a Manual Systemd Service:
Since we only need a DNS proxy (not a web tunnel), we create a custom service to listen on port 5053.
Paste the following:
[Unit]
Description=Cloudflare DoH Proxy
After=network.target
[Service]
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://8.8.8.8/dns-query
Restart=always
User=root
[Install]
WantedBy=multi-user.target
3. Start the Bridge:
sudo systemctl daemon-reload
sudo systemctl enable cloudflared-doh
sudo systemctl start cloudflared-doh
Phase 3: Configuring Dnsmasq for Split-Routing
Now that we have a secure tunnel at 127.0.0.1:5053, we tell dnsmasq to send only YouTube-related traffic through that tunnel while keeping other traffic on standard DNS for speed.
1. Create the Split-DNS Config:
2. Add the Rules:
# 1. Reject the ISP's fake IP globally
bogus-nxdomain=10.10.34.35
# 2. Route YouTube domains through the DoH tunnel
server=/googlevideo.com/127.0.0.1#5053
server=/youtube.com/127.0.0.1#5053
server=/ytimg.com/127.0.0.1#5053
server=/ggpht.com/127.0.0.1#5053
server=/gstatic.com/127.0.0.1#5053
# 3. Use standard DNS for everything else
server=1.1.1.1
# 4. Don't cache bad/negative results
no-negcache
3. Restart Dnsmasq:
Phase 4: Verification and Browser Cleanup
Once the configuration is live, you should verify that dnsmasq is correctly forwarding to the DoH port.
Check the Logs:
Check the Result:
dig @127.0.0.1 rr1---sn-qxau5-btqd.googlevideo.com
# You should now see a REAL Google IP (e.g., 142.250.x.x)
Final Step: Flush Browser State
Browsers like Chrome maintain their own DNS cache and "Socket Pools." If you don't flush these, the browser will try to reuse the old hijacked connections.
- Go to
chrome://net-internals/#dnsand click "Clear host cache". - Go to
chrome://net-internals/#socketsand click "Flush socket pools". - Restart the browser.
Summary Table
| Component | Role | Security Level |
|---|---|---|
| Dnsmasq | Manages which domains go where (Split-DNS). | High Control |
| Cloudflared | Encrypts DNS queries into HTTPS (DoH). | High Privacy |
| Bogus-NXDOMAIN | Detects and drops fake ISP-injected IPs. | High Reliability |
important paths
sudo gedit /etc/dnsmasq.d/dynamic_redirects.conf
sudo tail -f /var/log/dnsmasq.log
dig googlevideo.com | grep "Query time"
sudo gedit /etc/dnsmasq.d/99-split-dns.conf
sudo systemctl restart dnsmasq
راهنمای جامع عبور از اختلالات و مسمومیت DNS (سیستم خود ترمیمگر)
اگر در هنگام پینگ گرفتن از سرویسهای گوگل یا تلگرام، آیپیهای مشکوکی مانند 10.10.34.35 مشاهده میکنید، سیستم شما با مسمومیت DNS مواجه شده است. در این حالت، اپراتور درخواستهای شما را شناسایی کرده و پاسخ جعلی ارسال میکند. این مقاله نحوه راهاندازی یک سیستم Split-DNS با استفاده از پروتکل DNS-over-HTTPS (DoH) را آموزش میدهد.
بخش اول: نصب و پیکربندی ابزارهای پایه
ابتدا ابزار dnsmasq را برای مدیریت هوشمند درخواستها نصب میکنیم:
۱. تنظیم سیستم برای استفاده از DNS داخلی
فایل resolved.conf را ویرایش کنید تا از نشت DNS جلوگیری شود:
تنظیمات زیر را اعمال کنید:
سپس سرویس را ریستارت کنید:
بخش دوم: ایجاد پل امن (DoH Bridge)
برای اینکه اپراتور نتواند محتوای درخواستهای DNS ما را بخواند، باید آنها را در قالب بستههای HTTPS رمزنگاری کنیم.
۱. نصب Cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
۲. ساخت سرویس اختصاصی برای پروکسی DNS
فایل زیر را ایجاد کنید:
محتویات زیر را در آن قرار دهید:
[Unit]
Description=Cloudflare DoH Proxy
After=network.target
[Service]
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://8.8.8.8/dns-query
Restart=always
User=root
[Install]
WantedBy=multi-user.target
فعالسازی سرویس:
بخش سوم: پیکربندی هوشمند Dnsmasq
حالا باید به dnsmasq بگوییم کدام سایتها را از پل امن عبور دهد و کدامها را مستقیم باز کند.
۱. تنظیمات اصلی
فایل /etc/dnsmasq.conf را با تنظیماتی که در ابتدای گفتگو داشتیم (مانند cache-size=2500 و all-servers) پیکربندی کنید.
۲. تنظیمات Split-DNS (بسیار مهم)
فایل زیر را ایجاد کنید:
این قوانین را برای عبور از مسمومیت اعمال کنید:
# شناسایی و حذف پاسخهای جعلی اپراتور
bogus-nxdomain=10.10.34.35
# هدایت دامنههای یوتیوب و تلگرام به پل امن DoH
server=/googlevideo.com/127.0.0.1#5053
server=/youtube.com/127.0.0.1#5053
server=/telegram.org/127.0.0.1#5053
server=/t.me/127.0.0.1#5053
# استفاده از سرویسهای رفع تحریم برای سایتهای خاص
server=/shecan.ir/178.22.122.100
بخش چهارم: سیستم خود ترمیمگر (اسکریپت Fix-Redirects)
گاهی اوقات دامنههای جدیدی توسط اپراتور شناسایی و مسموم میشوند. با این اسکریپت، سیستم شما لاگها را بررسی کرده و آیپی واقعی را پیدا و در تنظیمات ذخیره میکند.
اسکریپت یافتن آیپی واقعی:
یک فایل به نام fix_redirects.sh بسازید و کدهای Bash ارائه شده در بخش قبلی را در آن قرار دهید. این اسکریپت با استفاده از proxychains و curl آیپی درست را از سرور Cloudflare میگیرد و به فایل dynamic_redirects.conf اضافه میکند.
بخش پنجم: تست و عیبیابی
بعد از انجام تمام مراحل، باید خروجی dig شما تغییر کند:
- بررسی لاگها:
باید عبارت forwarded ... to 127.0.0.1#5053 را ببینید.
2. تست آیپی واقعی:
اگر آیپی با 142.x.x.x یا 172.x.x.x شروع شد، یعنی عملیات موفقیتآمیز بوده است.
نکته نهایی برای مرورگر:
اگر همچنان در مرورگر مشکل دارید، حتماً کش DNS مرورگر را پاک کنید:
- در کروم:
chrome://net-internals/#dnsو دکمه Clear host cache. - سپس:
chrome://net-internals/#socketsو دکمه Flush socket pools.