相关文章:DNS 2
The note is generated by CatDesk.
What is DNS
DNS (Domain Name System) is the “phone book” of the internet. It translates human-readable domain names (like www.google.com) into machine-readable IP addresses (like 142.250.80.46). Without DNS, you’d have to memorize IP addresses for every website you visit.
How DNS Resolution Works
When you type mlp.sankuai.com in your browser, a chain of lookups happens:
Browser cache → OS cache → Router → Recursive Resolver → Root Server → TLD Server → Authoritative Server
Step by step:
- Browser cache — The browser checks if it has recently resolved this domain.
- OS cache — The operating system checks its local DNS cache (
/etc/hostsfile is also checked here). - Recursive resolver — Your configured DNS server (e.g.,
8.8.8.8) takes over. It will query on your behalf. - Root nameserver — The resolver asks a root server “where is
.com?” (there are 13 root server clusters worldwide). - TLD nameserver — The root says “ask the
.comTLD server.” The TLD server knows which authoritative server handlesgoogle.com. - Authoritative nameserver — This server holds the actual DNS records and returns the final IP address.
The result is cached at every level with a TTL (Time To Live) so the full chain isn’t repeated every time.
DNS Record Types
| Type | Purpose | Example |
|---|---|---|
| A | Maps domain → IPv4 address | mlp.sankuai.com → 10.192.19.165 |
| AAAA | Maps domain → IPv6 address | google.com → 2607:f8b0:4004:800::200e |
| CNAME | Alias to another domain | mlp.sankuai.com → inf.vip.sankuai.com |
| MX | Mail server for the domain | sankuai.com → mail.sankuai.com |
| NS | Nameserver for the domain | sankuai.com → ns1.sankuai.com |
| TXT | Arbitrary text (SPF, verification) | v=spf1 include:... |
| SOA | Start of Authority (zone metadata) | Primary NS, admin email, serial |
| PTR | Reverse lookup (IP → domain) | 165.19.192.10.in-addr.arpa → mlp.sankuai.com |
DNS Servers You Should Know
Public DNS:
8.8.8.8/8.8.4.4— Google Public DNS1.1.1.1/1.0.0.1— Cloudflare DNS (fast, privacy-focused)223.5.5.5/223.6.6.6— Alibaba DNS (China)119.29.29.29— Tencent DNSPod (China)114.114.114.114— 114 DNS (China)
Meituan Internal DNS:
11.11.11.11/11.11.11.12— Resolves internal domains like*.sankuai.com
Public DNS servers cannot resolve internal/private domains. That’s why corporate environments need their own DNS servers.
DNS Query Tools
nslookup
| |
dig (more detailed)
| |
host (simple)
| |
DNS in Proxy Tools (Clash/Mihomo)
When using proxy tools like Clash, DNS becomes more complex. There are two main modes:
redir-host mode
The proxy resolves the domain to a real IP first, then matches rules against that IP. Simple and predictable, but leaks DNS queries (your ISP can see what domains you visit).
fake-ip mode
The proxy immediately returns a fake IP (from a reserved range like 198.18.0.0/16) to the application. The proxy remembers the mapping internally. When traffic comes in for that fake IP, Clash knows which domain it was for and routes accordingly.
Advantages: Faster (no DNS latency before connection), no DNS leak.
Problem: If a rule says IP-CIDR,10.0.0.0/8,DIRECT but the domain was mapped to a fake IP 198.18.x.x, the rule won’t match! That’s why fake-ip-filter exists — to exclude certain domains from the fake-ip mechanism and let them resolve to real IPs.
| |
DNS over HTTPS (DoH) and DNS over TLS (DoT)
Traditional DNS queries are sent in plain text over UDP port 53 — anyone on the network can see them. Modern alternatives encrypt DNS:
DoH (DNS over HTTPS) — DNS queries wrapped in HTTPS. Looks like normal web traffic. Hard to block or sniff.
https://dns.alidns.com/dns-query
https://doh.pub/dns-query
https://dns.google/dns-query
DoT (DNS over TLS) — DNS queries wrapped in TLS on port 853. Easier to identify and block than DoH but still encrypted.
tls://223.5.5.5
tls://dns.google
Common DNS Issues and Debugging
DNS poisoning / pollution
Some networks return wrong IPs for certain domains (e.g., ISPs in China returning fake IPs for blocked sites). Solution: use encrypted DNS (DoH/DoT) or a trusted DNS server.
DNS cache stale
After a server IP changes, old cached results cause failures. Fix:
| |
Split-horizon DNS
Corporate networks often use “split DNS” — internal DNS servers resolve internal domains differently from public DNS. If you use public DNS (8.8.8.8) for everything, internal domains won’t resolve. That’s why you need to configure internal DNS servers (11.11.11.11) when on a corporate network.
Check what DNS your system is using
| |
The /etc/hosts File
The simplest form of “DNS” — a local file that maps domains to IPs directly, checked before any DNS server is queried.
# /etc/hosts
127.0.0.1 localhost
10.192.19.165 mlp.sankuai.com # Force a specific IP
Useful for development, testing, or overriding DNS temporarily.
Summary
DNS is deceptively simple on the surface (domain → IP) but has many layers. Understanding it helps you debug network issues, configure proxies correctly, and understand why “the internet is broken” sometimes. The key concepts to remember:
- DNS is hierarchical: root → TLD → authoritative
- Caching happens at every level (browser, OS, resolver)
- Corporate networks need internal DNS for private domains
- Proxy tools in fake-ip mode interfere with IP-based rules unless you use fake-ip-filter
- Encrypted DNS (DoH/DoT) protects privacy but may bypass corporate DNS policies