Dns fallover for blacklisted ips

I have use an iranian isp which means that dns is filtered(cached and filtered) by isp so using returns and for filtered domains.
but I have to use because it is fast and it is needed for a lot of Iranian domains that returns the correct ip, that if I use dnscrypt or other services the ip is not returned correctly.

now I have blacklisted ip in dnsmasq but when I do that and I set both and dnscrypt then it first tries and returns the internal which dnsmasq filters but then it doesn't try to get the next answer from dnscrypt so the overall answer will be an empty one.

is there anyway to fix this so that first is tried and if the filtering address ( is returned, then it tries the next dns server and get it from dnscrypt?

If I set strict-order then the iranian sites that have dns issues work because it dnsmasq queries but ignoredomain or bogusdomain make dnsmasq to timeout or give empty answer for filtered domains.
if I dont use strict-order then dnsmasq seem to select the dnscrypt for all answers and then I get bad replies for internal iranian websites.

You can use selective forwarding to separate domains which should be forwarded to plain/encrypted DNS:

that is not what I need.
I dont know what sites misbehave with the dnscrypt.
I need the as default but I need the dnsmasq to skip on websites that it give the filtering address.

it may not be possible with dnsmasq though.

Dnsmasq doesn't support this kind of logic.

1 Like