How to bypass ISP hijacking DNS

[Nnyan]

Hello,

I"m not exactly sure if this is the best forum but I just recently moved from Comcast to AT&T gigabit service (1000/1000 vs 1000/50) and while I can put the AT&T gateway into a close approximation of bridge mode (took a while to get rid of the double NAT issue). I can't seem to figure out how to stop AT&T from using the gateway DNS.  I've been checking but doing a nslookup for a fake domain.  AT&T answers back with a non-authoritative fake IP.

I've tried unbound, DNSmasq and DNSCrypt-Proxy to no avail (unless I'm just missing a specific setup).  Not sure if this is even possible but I thought I would ask here.

Thank you!

[phoenix]

Your ISP can't 'hijack' your DNS unless you're using their DNS servers. In the OPNsense UI you can set the DNS servers in Settings/General/Networking. I use my LAN DNS servers in that setting and have no problems, what do you have for that setting?

[Greelan]

Well, an ISP can intercept traffic on port 53, and redirect to their own DNS servers. Has been known to happen. Using DoT or DoH might be the solution to that.

[phoenix]

Yes, I know that it can and that's why I put it in single quotes and I didn't want to expand that to further secure features until we'd got some information about what setting were being used for the DNS.

[Nnyan]

I should have been a bit more specific.  I'm aware that OPNsense can define the DNS you would like to use.  I have done it from System > Settings > General > Networking > DNS Servers (ex:  1.1.1.1. and 1.0.0.1) and from Services > DHCPv4 > LAN > DNS Servers (just in case it worked here). 

As Greelan stated if I just use the default settings (as above) my ISP will redirect all DNS to their own.  I have always checked this by a simple nslookup or dig to a made-up TLD (ex:  nslookup ijustmadethisup.tld).  If my preferred DNS (1.1.1.1, 8.8.8.8, 9.9.9.9, whatever) was actually being used then I would get a non-existent domain error.  But when my ISP hijacks/redirects DNS I actually get a non-authoritative answer with an ISP IP addy.

[Patrick M. Hausen]

@Nnyan that sucks and ISPs should be sued for implementing practices like this. Around here (Germany) it is not that common (because GDPR) and precisely for that reason, I'd trust my local ISP (Deutsche Telekom) to a way greater extent than Google or Cloudflare. Yes, Telekom has been guilty of this, too. But that's past. Because GDPR.

That being said, I would never use on of those "Internet giants" servers as my upstream. If you are really concerned about your privacy, why not get a small cloud VM, e.g. at Digital Ocean, and use that as an upstream DNS server?

Kind regards,
Patrick

[Nnyan]

The DNS IP's were really for example.  I do have a DNS running on a VPS but that doesn't help me b/c I'm in the same pickle since AT&T will hijack the DNS no matter where I'm sending it.

I have been going through a number of guides and after 5-6 tries I found this one: 

https://sahlitech.com/opnsense-setup-unbound-dns/

I followed that and I have no clue why but now I'm able to use the DNS of my choice and my ISP is not hijacking it!  I get the correct reply to made-up domains.  I'm curious (just for my edification) why this method of setting up unbound worked where just selecting my own DNS in the settings did not.

[Greelan]

Because it uses DoT, as I mentioned above as a solution. It is encrypted and on a different port. The ISP can’t successfully redirect it without breaking DNS entirely as they can’t decrypt the packets

[Nnyan]

fair enough, I didn't understand how it was enabling DoT (I'll go over the instructions again).  Is that the best/proper way to enable DoT or is there a better way?  I had done the DNSCrypt guide (https://forum.opnsense.org/index.php?topic=10670.0) but that did not work (as far as my ISP) and it ended up breaking a number of my kids streaming services (Could not connect to Hulu, etc..., streaming devices kept giving notice that the internet was down every few mins even though it wasn't).

Anyway, I appreciate your time and assistance!