What's the danger level of using Chinese DNS resolver?

Background

Currently I'm using iOS devices with OpenDNS (DoH) under Chinese ISPs to protect my privacy.

However, accessing to websites inside China mainland (like Taobao & NetEase) with this becomes laggy, and sometimes even fails to load.

By adding Chinese DNS resolvers like AliDNS, this issue can be solved.

But here comes the problem — all domain names not listed in rule files (like Chinalist) have to be sent to AliDNS, which would roughly indicate my browsing history.

Meanwhile, some Chinese iOS developers like Yachen Liu (developer of Surge, a famous iOS proxy tool) urged on Twitter that using overseas DoH is unnecessary under Chinese network 'cause it's slow, and we don't need this small piece of privacy protection.

Questions

So my questions are,

  1. Generally how long do DNS logs last on servers, Permanent Record?

  2. Would the police and other supervisors use DNS logs to AUTOMATICALLY detect and classify users?
    For example, when users make DNS requests of political sites like Pincong, Parler, or even Geph, would they get marked by the system as dangerous users?

  3. From the aspect of getting less supervision, would AliDNS (DoH) safer than port 53 ISP DNS resolvers?

  4. How governments of other countries treat these DNS records? I think they may learn from each other.

  5. When using "Exclude Chinese traffic" mode, how Geph handles DNS issues to remain secure & fast? (I've never used this feature.)

1 个赞
  1. DNS logs aren't the problem here. Chinese ISPs likely record packet traces, and that's a much bigger problem than DNS servers recording anything. Without DoH whether you trust the DNS server is meaningless. Also, logs may be sent to the government directly, so it may not matter how long the logs last on the original server.
  2. This is pretty likely. Packet traces are already used to automatically classify traffic for e.g. GFW blocking, and anecdotally Chinese providers mirror all data to the government directly. You should definitely protect your DNS queries if you want any sort of privacy.
  3. Perhaps? In the case of AliDNS, your ISP wouldn't see anything, but in any case the government probably logs everything.
  4. I don't think any other country has a domestic surveillance program nearly as extensive as that of China, so I don't think it's meaningful to talk about other countries.
  5. Geph doesn't use "GFWList", but rather a whitelist of known Chinese websites. Those websites bypass Geph, and all other traffic goes completely through Geph (including DNS).
1 个赞

otehr -> other

Thanks for your detailed reply :love_you_gesture: My problem has been solved.

I know little about packet traces since I don't major in CS. I'll go on to learn this topic later on.

Now I decide to give up using AliDNS, and remain suspicious of closed-source Chinese software. I'll put them all into virtual machines or one single phone without any "dangerous" trace.

2 个赞

If only there's a tool allowing you use both DNS services at the same time. Like a proxy plugin which allows you to use one proxy for some domains, another proxy for others. But for DNS.

E.g. use AliDNS for taobao.com and 163.com, etc.
Use OpenDNS for everything else.

Never heard of such a tool, though.

1 个赞
1 个赞

v2ray好像有DNS分流功能,但是我不知道咋整