Dns fallover for blacklisted ips

I have use an iranian isp which means that dns is filtered(cached and filtered) by isp so using 8.8.8.8 returns 10.10.34.34 and 10.10.34.35 for filtered domains.
but I have to use 8.8.8.8 because it is fast and it is needed for a lot of Iranian domains that returns the correct ip, that if I use dnscrypt or other services the ip is not returned correctly.

now I have blacklisted 10.10.34.34 ip in dnsmasq but when I do that and I set both 8.8.8.8 and dnscrypt then it first tries 8.8.8.8 and returns the internal 10.10.34.34 which dnsmasq filters but then it doesn't try to get the next answer from dnscrypt so the overall answer will be an empty one.

is there anyway to fix this so that first 8.8.8.8 is tried and if the filtering address (10.10.34.34) is returned, then it tries the next dns server and get it from dnscrypt?

If I set strict-order then the iranian sites that have dns issues work because it dnsmasq queries 8.8.8.8 but ignoredomain or bogusdomain make dnsmasq to timeout or give empty answer for filtered domains.
if I dont use strict-order then dnsmasq seem to select the dnscrypt for all answers and then I get bad replies for internal iranian websites.

You can use selective forwarding to separate domains which should be forwarded to plain/encrypted DNS:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#selective_dns_forwarding

no.
that is not what I need.
I dont know what sites misbehave with the dnscrypt.
I need the 8.8.8.8 as default but I need the dnsmasq to skip 8.8.8.8 on websites that it give the 10.10.34.34 filtering address.

it may not be possible with dnsmasq though.

Dnsmasq doesn't support this kind of logic.

1 Like