电视盒子咪咕MGV3200 DNS被运营商锁死无法联网的解决方法

咪咕的MGV3200, 国科GK6323的CPU， 没有WiFi功能。已检测DNS被锁了，怎么都搞不来。用了通刷的卡刷包，可以降级，但是升级后卡死了，最后结果通过网络层劫持。
我们可以通过一下命令修改DNS, 但是测试发现修改无效。

adb shell getprop |grep dns
adb shell setprop net.dns1 1.1.1.1

网络层修改

使用IPtable强制劫持

adb root
adb shell

#测试前后对比效果：
tcpdump -i any port 53

# 清理旧规则（可选）
iptables -t nat -F

# 劫持 UDP DNS
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.8.8

# 劫持 TCP DNS（防止 fallback）
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8

GK6323V100C:/ # tcpdump -i any port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
00:24:15.259820 IP 192.168.31.120.15077 > 211.140.188.188.domain: 2756+ A? iflytekxiri.zj.chinamobile.com. (48)
00:24:15.263189 IP 192.168.31.120.19783 > 211.140.13.188.domain: 16241+ PTR? 120.31.168.192.in-addr.arpa. (45)
00:24:15.300493 IP 192.168.31.120.20370 > 211.140.13.188.domain: 19154+ A? s1e.time.edu.cn. (33)
00:24:16.261671 IP 192.168.31.120.3052 > 211.140.13.188.domain: 3810+ A? iflytekxiri.zj.chinamobile.com. (48)
00:24:16.265320 IP 192.168.31.120.3179 > 211.140.188.188.domain: 16241+ PTR? 120.31.168.192.in-addr.arpa. (45)
00:24:16.302431 IP 192.168.31.120.13833 > 211.140.188.188.domain: 19154+ A? s1e.time.edu.cn. (33)
00:24:17.262962 IP 192.168.31.120.14977 > 211.140.188.188.domain: 3810+ A? iflytekxiri.zj.chinamobile.com. (48)
00:24:23.286160 IP 192.168.31.120.13488 > 211.140.13.188.domain: 6235+ PTR? 188.13.140.211.in-addr.arpa. (45)
00:24:27.324571 IP 192.168.31.120.17604 > 211.140.13.188.domain: 10396+ A? s2c.time.edu.cn. (33)
00:24:28.326575 IP 192.168.31.120.10109 > 211.140.188.188.domain: 10396+ A? s2c.time.edu.cn. (33)
00:24:29.328311 IP 192.168.31.120.17604 > 211.140.13.188.domain: 10396+ A? s2c.time.edu.cn. (33)
00:24:30.330036 IP 192.168.31.120.10109 > 211.140.188.188.domain: 10396+ A? s2c.time.edu.cn. (33)
00:24:31.336956 IP 192.168.31.120.24249 > 211.140.13.188.domain: 22233+ A? s2d.time.edu.cn. (33)
00:24:32.338969 IP 192.168.31.120.25043 > 211.140.188.188.domain: 22233+ A? s2d.time.edu.cn. (33)

GK6323V100C:/ # tcpdump -i any port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:45:10.752031 IP 192.168.31.120.64107 > dns.google.domain: 34507+ A? s1e.time.edu.cn. (33)
10:45:10.755368 IP 192.168.31.120.35330 > dns.google.domain: 39699+ PTR? 120.31.168.192.in-addr.arpa. (45)
10:45:10.806467 IP dns.google.domain > 192.168.31.120.64107: 34507 1/0/0 A 202.112.31.197 (49)
10:45:10.807031 IP dns.google.domain > 192.168.31.120.35330: 39699 NXDomain 0/0/0 (45)
10:45:10.817797 IP 192.168.31.120.57950 > dns.google.domain: 45911+ PTR? 8.8.8.8.in-addr.arpa. (38)
10:45:10.869186 IP dns.google.domain > 192.168.31.120.57950: 45911 1/0/0 PTR dns.google. (62)
10:45:22.585807 IP 192.168.31.120.48587 > dns.google.domain: 47752+ A? iflytekxiri.zj.chinamobile.com. (48)
10:45:22.638123 IP dns.google.domain > 192.168.31.120.48587: 47752 1/0/0 A 39.173.75.191 (64)
10:45:55.569735 IP 192.168.31.120.44429 > dns.google.domain: 35779+ A? iflytekxiri.zj.chinamobile.com:8090. (53)
10:45:55.620475 IP dns.google.domain > 192.168.31.120.44429: 35779 NXDomain 0/1/0 (128)
10:46:26.426715 IP 192.168.31.120.42235 > dns.google.domain: 47485+ A? cn.pool.ntp.org. (33)
10:46:26.477349 IP dns.google.domain > 192.168.31.120.42235: 47485 4/0/0 A 84.16.67.12, A 162.159.200.123, A 108.59.2.24, A 119.28.183.184 (97)
10:46:57.059338 IP 192.168.31.120.7672 > dns.google.domain: 2029+ A? cn.pool.ntp.org. (33)
10:46:57.118326 IP dns.google.domain > 192.168.31.120.7672: 2029 4/0/0 A 162.159.200.1, A 162.159.200.123, A 84.16.67.12, A 111.230.189.174 (97)
10:47:17.974790 IP 192.168.31.120.10000 > dns.google.domain: 16120+ A? api.downbei.com. (33)
10:47:18.031883 IP dns.google.domain > 192.168.31.120.10000: 16120 1/0/0 A 112.74.97.179 (49)
10:47:19.394572 IP 192.168.31.120.19317 > dns.google.domain: 29247+ A? jt5.dangbei.net. (33)
10:47:19.456840 IP dns.google.domain > 192.168.31.120.19317: 29247 4/0/0 CNAME jt5.dangbei.net.eo.dnse0.com., A 183.232.189.100, A 120.240.157.195, A 120.233.185.134 (123)
10:47:23.258401 IP 192.168.31.120.26220 > dns.google.domain: 12359+ A? esw.tymcdn.com. (32)
10:47:23.579046 IP 192.168.31.120.7053 > dns.google.domain: 23922+ A? eapi.tymcdn.com. (33)
10:47:23.616800 IP dns.google.domain > 192.168.31.120.26220: 12359 12/0/0 CNAME esw.tymcdn.com.w.kunlunso.com., A 183.214.1.73, A 183.214.1.72, A 111.47.122.99, A 183.215.55.46, A 111.47.122.98, A 183.214.1.70, A 111.47.122.100, A 111.47.122.101, A 111.47.122.70, A 183.214.1.71, A 111.47.122.69 (248)
10:47:23.650398 IP 192.168.31.120.27666 > dns.google.domain: 1281+ A? otysdktj.tvfuwu.com. (37)
10:47:23.705186 IP dns.google.domain > 192.168.31.120.27666: 1281 9/0/0 CNAME otysdktj.tvfuwu.com.w.cdngslb.com., A 120.233.177.236, A 120.233.177.234, A 120.233.177.241, A 120.233.177.237, A 120.233.177.235, A 120.233.177.238, A 120.233.177.233, A 120.233.177.242 (209)
10:47:23.984414 IP dns.google.domain > 192.168.31.120.7053: 23922 11/0/0 CNAME eapi.tymcdn.com.w.kunlunso.com., A 111.48.177.96, A 111.4.2.57, A 111.48.177.102, A 111.48.177.95, A 111.48.177.97, A 111.47.206.236, A 111.48.177.98, A 111.48.177.101, A 183.255.255.136, A 111.48.177.100 (234)

通过上面的测试，使用iptable强制劫持概念验证是有效的。但是我们不可能重启每次需要adb root和shell进入实现。固件包无su权限，也无法实现自启动运行特权命令。
所以我们通过OpenWRT路由器上DNAT实现。

OpenWRT 劫持

以下是单独对192.168.1.50实现转发劫持。实际上由于我使用网线, 我直接LAN则转发即可。无线，这个路由器本身就是中继，其他设备不通过这个设备联网。不会影响别的设备。

iptables -t nat -A PREROUTING -s 192.168.1.50 -p udp --dport 53 -j DNAT --to-destination 8.8.8.8
iptables -t nat -A PREROUTING -s 192.168.1.50 -p tcp --dport 53 -j DNAT --to-destination 8.8.8.8

GUI界面修改：

内部IP地址填路由器网关地址即可，也可以填写1.1.1.1