Bypassing system DNS via local hosts-file entries (e.g., mapping github.com → 140.82.113.4) is documented as the most widely used free workaround for GFW DNS poisoning of GitHub as of 2026. The technique is fragile: GitHub IP addresses change, requiring users to re-query and update entries manually, making it unsuitable as a reliable long-term defense.

Rule-based proxy tools (Clash, Shadowsocks, V2Ray) are documented as the most reliable solution for accessing GitHub from China, with split-tunneling rules routing only GitHub traffic through the proxy while keeping domestic traffic on the direct path. Git command-line tools require explicit proxy configuration (git config --global http.proxy http://127.0.0.1:7890) to route clone/push operations, as they do not inherit system proxy settings automatically.

§方法二 defense

Configuring encrypted DNS (DoH/DoT) via Cloudflare (1.1.1.1 / https://cloudflare-dns.com/dns-query), Google (8.8.8.8), or Alibaba Cloud (223.5.5.5) is documented as a practical countermeasure to ISP-level DNS hijacking of GitHub in China. Browser-level DoH (Chrome/Edge settings) is highlighted as accessible to non-technical users without installing additional software.

§方法四 defense

The GFW blocks GitHub via DNS poisoning across at least four domains — github.com, assets-cdn.github.com, github.global.ssl.fastly.net, and raw.githubusercontent.com — causing connection timeouts and page-load failures for mainland China users. The block is persistent as of February 2026, affecting both browser access and command-line git operations.

Introduction / §方法一 detection

As of early 2026, GitHub mirror sites (FastGit at hub.fastgit.xyz, CNPMJS at github.com.cnpmjs.org, GitClone at gitclone.com) remain operationally accessible as reverse-proxy workarounds for read-only access and git clone acceleration from mainland China. The blog explicitly warns users against authenticating to GitHub accounts via these mirrors due to credential-theft risk, indicating that mirror operators are not fully trusted by the end-user community.

§方法三 deployment

The June 2025 Iran shutdown—carried out during the Iran-Israel war beginning ~June 19—did not use BGP route withdrawals as in 2019. Instead, authorities applied service-level restrictions at the national border: DNS poisoning of foreign destinations, protocol whitelisting permitting only pre-approved domestic services, and DPI to block circumvention-tool traffic. Iran's international traffic fell roughly 90% while the country's BGP routes remained advertised, making the shutdown invisible to BGP-based monitoring systems. OONI measurement volume, which totalled 121,333 in June 2025, collapsed to under 200 submissions on June 19-20.

2025-iran-shutdown-measurement Executive Summary / §2 dpidns-poisoningport-blockingip-blocking

Encrypted DNS protocols (DNS-over-HTTPS and DNS-over-TLS via Cloudflare 1.1.1.1, Google 8.8.8.8, AdGuard, or NextDNS) prevent DNS injection by encrypting the resolver query, making it opaque to in-path GFW middleboxes. The blog recommends these as a lightweight defense that avoids the maintenance overhead of static hosts entries.

2026-anon-6-github-dns §2 使用加密 DNS 服务 dns-poisoning

The GFW blocks GitHub by hijacking DNS resolution to incorrect IP addresses, causing browser timeouts ('github.com 响应时间太长'). The poisoning can be confirmed by comparing nslookup results against a clean resolver (8.8.8.8) versus the local ISP resolver — divergent results confirm injection.

2026-anon-6-github-dns §5 验证 DNS 污染 dns-poisoning

Static /etc/hosts bindings that hardcode correct IPs (e.g. 140.82.113.3 for github.com, 185.199.108.153 for assets-cdn.github.com) bypass DNS-injection blocking entirely, but the blog warns that GitHub IP addresses change and the file must be updated periodically to remain effective.

2026-anon-6-github-dns §1 手动修改 Hosts 文件 dns-poisoning

Chinese users treat full proxy/VPN (Shadowsocks, V2Ray/Clash, commercial VPNs) as the '终极大杀器' (ultimate solution) for bypassing GitHub DNS poisoning, implying that lighter-weight DNS-only fixes fail in some network environments where the censor adds firewall-layer blocking beyond DNS.

2026-anon-6-github-dns §3 使用代理或 VPN dns-poisoningip-blocking

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling