How to prevent Brook's Fake DNS from not working

Updated at: 2024-02-24


What is the purpose of Fake DNS

Brook gets the domain name through Fake DNS, and then does some tasks based on the domain name, such as specifying IP with hosts, etc.

The TTL of the Fake DNS is 60 seconds, so there will be no problem under normal circumstances, but some apps that do not comply with the standard may cache it for a longer time. Instagram should be criticized, and a script can be used to prevent the specified domain name from using the Fake DNS.

How Fake DNS works

  1. The Brook client first configures the system DNS
  2. When other applications query the domain name, they will query the system DNS port 53 through the UDP protocol
  3. Brook intercepts data on UDP port 53 and returns a Fake IP to the queryer
  4. After the inquirer gets the Fake IP, it will continue to connect to this IP
  5. After Brook gets the IP to be connected at this time, if it finds that it is a Fake IP, he will convert the IP into a domain name. Because Brook keeps a dictionary of Fake IP and domain name mapping in memory
  6. Then Brook passes the domain address to the server and lets the server resolve and connect

It can be seen that the local does not know the real IP address to be connected throughout the process.

The above is just the simplest process to understand how Fake DNS works. The actual process also includes rule scripts and more.

How to prevent Fake DNS from not working

We know above that Fake DNS works by intercepting UDP port 53, so we need to avoid applications or systems from querying domain names in other ways.

Block google secure DNS

Brook GUI will set system DNS to google DNS default. And a built-in Block google secure DNS module, enable will avoid to upgrade to google secure DNS.

Turn off system or application secure DNS


Settings -> Network & internet -> Private DNS -> Off


Settings -> Network & Internet -> Your Network -> DNS settings -> Edit -> Preferred DNS -> Unencrypted only ->

Chrome Mobile

Settings -> Privacy and security -> Use secure DNS -> Off

Chrome Desktop

Settings -> Privacy and security -> Security -> Use secure DNS -> Off

More knowledge

That is to say, it is clear that your system DNS is configured with normal DNS, but the final query uses secure DNS. This is because the system or browser will initiate a query to the system DNS to ask whether DOH is supported, and if it is supported, it will be upgraded to use DOH to query. For example

brook dnsclient --dns -d -t SVCB
;; opcode: QUERY, status: NOERROR, id: 52504
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4

;    IN       SVCB

;; ANSWER SECTION:     86400   IN      SVCB    1 alpn="dot"     86400   IN      SVCB    2 alpn="h2,h3" dohpath="/dns-query{?dns}"

;; ADDITIONAL SECTION:     86400   IN      A     86400   IN      A     86400   IN      AAAA    2001:4860:4860::8888     86400   IN      AAAA    2001:4860:4860::8844

As you can see, supports DOT and DOH. Don't worry, if Fake DNS is enabled, the Brook client will help you block this SVCB query

Another, it is clear that your system DNS is configured with ordinary DNS, even if there is no upgrade query, but the final query is the secure DNS. This is because the system and browser have built-in information about some secure DNS. For example, if it find that it is and know that this DNS also supports DOH, then it use DOH directly. At this point we can block these connections with script, such as Block google secure DNS