// the find
ihciah/clean-dns-bpf
基于 Rust + eBPF 丢弃 GFW DNS 污染包
An XDP/eBPF program written in Rust that drops GFW DNS poisoning packets at the kernel level, letting you get real DNS responses from 8.8.8.8 without a proxy. It works by fingerprinting the spoofed replies — zero IP ID, specific DNS flags, Authoritative bit set with no Authority RRs — and dropping them before they reach userspace. Niche audience: people running Linux servers in China who want clean DNS without a full VPN stack.
Kernel-level packet drop via XDP is the right tool here — it intercepts before the network stack processes anything, so the legitimate response wins the race cleanly. The fingerprinting logic is well-reasoned and documented: the author actually captured traffic, identified multiple spoofing patterns (IPID=0, DF flag, DNS Authoritative bit without Authority RRs), and handles both Google and non-Google domains differently because the GFW behaves differently for each. It ships as a prebuilt ELF, so deployment is literally two commands.
Abandoned since December 2021 — the eBPF/Rust toolchain (cargo-bpf via redbpf) has moved significantly and the build instructions will likely not work without version pinning gymnastics. The heuristics are hardcoded and fragile: if the GFW changes its poisoning fingerprint (which it has done historically), there's no update path and no configuration to adjust without recompiling. Only targets 8.8.8.8:53, so if you use any other upstream resolver you get nothing. No persistence mechanism — you re-attach the XDP program on every reboot manually.