I need to have 2 DNS servers on 2 IPs:
- One for other members of the family, run by DNSmasq forwarding to ISP DNS servers, which are very fast, but have no DNSSEC support and probably have some poisoning (e.g. Tiktok videos doesn't load unless they use the other DNS).
- One for myself and OPNsense, run by dnscrypt-proxy with DNSSEC support but has higher latency, which is unacceptable for others (web page opens too slowly).
It needs to be on another IP and standard port due to DHCP option and NetworkManager's nm-dns-systemd-resolved plugin not supporting port (tested).
What's the best way to approach this problem? Is there a way to augment ISP's DNS answers so that we can use just 1 server with DNSSEC enabled? (I'm guessing no...)
Currently I have a virtual IP 192.168.1.53 with "Deny service binding" for dnscrypt-proxy to listen on (plus 127.0.0.1), and DNSmasq is on "port 53" (so the wildcard address 0.0.0.0). However, sometimes when I switch off the VPN on my laptop, I get DNS reply without RRsig as if it's from DNSmasq instead dnscrypt-proxy, but packet cap shows it's indeed from the virtual IP. I don't know if it's an OS bug or if DNSmasq is fighting with dnscrypt-proxy for the virtual IP.
Unbound (instead of DNSmasq) just refuses to start or produce any log if dnscrypt-proxy is listening on 192.168.1.53.
Is there a way to fix ISP's DNS poisoning? For NO-DATA I can add dnscrypt-proxy to system DNS so DNSmasq forwards to it as well, for fake IP I'm guessing no...
Is there a way to not have ISP's DHCP DNS in OPNsense's system DNS but still let DNSmasq forward to them?
Have you tried Unbound with a DNS-over-TLS upstream? There shouldn't be a noticeable performance impact.
Since your ISP doesn't seem to be trustworthy, I would avoid using their DNS servers and plaintext DNS in general.
Cheers
Maurice
Quote from: Maurice on Today at 05:31:35 PMHave you tried Unbound with a DNS-over-TLS upstream?
Yes... All popular DNS servers are blocked here, hence the need for dnscrypt-proxy (for its large dynamic list of servers) and why it has a higher latency.
Quote from: yarn on Today at 07:23:19 PMAll popular DNS servers are blocked here
But can you query the Root DNS Servers directly or not ?!
If you can then just setup Pi-Hole with Unbound next to it : https://docs.pi-hole.net/guides/dns/unbound/
And then you can easily seperate your Clients into Groups that will have Filtered or Unfiltered DNS service access :)
(I think this is what you want considering your TikTok comment... Not sure... Just FYI...)
Quote from: nero355 on Today at 07:58:49 PMBut can you query the Root DNS Servers directly or not ?!
...
(I think this is what you want considering your TikTok comment... Not sure... Just FYI...)
Thanks, but it's not quite what I meant... The ISP is blocking via DNS, which I don't want.
I can reach the root servers, but some authoritative servers are blocked, and plain-text queries to them are certainly inspected & blocked. Plus recursion is too slow...
I guess this problem probably doesn't have a perfect solution. If so I just wish DNSmasq or unbound can coexist better with dnscrypt-proxy.
I could run dnscrypt-proxy on another device, but my OPNsense PC has so much spare capacity...
Tough situation, but I'd really look into other options before considering the ISP's malicious DNS servers for anything.
- Using a less popular DNS over TLS server, which might not be blocked (there's more than Cloudflare / Google / Quad9).
- Using DNS over WireGuard (or other VPN).
- Running your own recursive resolver on a VPS and forwarding to it using DoT or a VPN.
- ...
But if you really want to forward dnsmasq to the ISP's DNS servers:
Bind dnsmasq to a dedicated loopback interface only (assuming that you don't use it for DHCP / RAs). Haven't tried that with dnsmasq and dnscrypt-proxy, but it works for me for running both Unbound and BIND on port 53 (but different IP addresses).
Quote from: yarn on Today at 04:43:28 PMIs there a way to not have ISP's DHCP DNS in OPNsense's system DNS but still let DNSmasq forward to them?
- Make sure "System: Settings: General: Allow DNS server list to be overridden by DHCP/PPP on WAN" is disabled.
- In the general Dnsmasq settings, enable "Do not forward to system defined DNS servers".
- In Dnsmasq / Domains, create a global override and enter the IP address of the ISP's DNS server.
Cheers
Maurice