DNS over nonstandard port?

[dwasifar]

Is it possible, using either Unbound or Dnsmasq, to proxy DNS to an upstream server using a port other than 53?

My ISP is transparently proxying DNS.  Any query on port 53 to any IP is being intercepted.  To get around this I'd like to use OpenDNS on their alternate port, 5353.  But both Unbound and Dnsmasq use the upstream servers set in System: Settings: General, and I don't see how to specify port 5353.  I've tried 208.67.222.222:5353, but it throws an error and won't save.

Could I accomplish this with port forwarding?  Set OpenDNS's servers as the only ones in System: Settings: General, and then forward everything that goes out on WAN for 53 to 5353 with a port forwarding rule?

[koushun]

Yes. I would suggest DNS over TLS which uses port 853, which will even encrypt your DNS queries.

Check your browser: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ before you start.
Probably fails on multiple checks? Do not bother with the "Encrypted SNI" for now.

This is how I have done it - atleast how I think I've done it.

System > Settings > General : REMOVE any DNS Server you have listed here. Click Save.

Go to Services > Unbound DNS > General.
* Enable Unbound
* Enable DNSSEC Support

This is from the top of my head, but make sure those things are checked. Listen port should be 53 and you should be listening on all interfaces. Do not worry the WAN etc., everything is blocked by the default firewall rules.

Hm, then go to Miscellaneous under Unbound and add servers which supports TLS. You have to specify the adresse in server@port fashion:

Write 1.1.1.1@853 and press Enter.
Probably add atleast one more, 1.0.0.1@853.

Click Save.

I do not know what platform you are on; Windows? Flush your DNS with CMD: ipconfig /flushdns

Grab a cup of coffee.

Go to Firewall > Log Files > Live View. Click the drop down Menu which says "action". Choose dst_port, remove the text "pass" and write 853 and click the + symbol.

Now as you go to your LAN client and visit websites and ping stuffs, like ping microsoft.com or any other website- you should see traffic gets populated to either one of your DNS servers you have defined under Miscellaneous.

Verify which DNS server you are using with nslookup, "nslookup hltv.org".

Check your browser again? https://www.cloudflare.com/en-gb/ssl/encrypted-sni/


Now. If clients were to not use your OPNsense as a DNS server (they do not honor the DNS Server provided in the DHCP offer), you could do NAT Port forwarding from your LAN interface and redirect every traffic (UDP/TCP) destined for !LAN@53, to be redirected to 127.0.0.1 port 53.

You could check if any traffic is going out, by doing the Live View in the Firewall logs as mentioned above, and change port to 53.

That way, if you have a client which use for instance 8.8.8.8 as a DNS server, you'll redirect this request to your OPNSense Unbound DNS service. And voilà, the upstream DNS which will be 1.1.1.1 serves this request over TLS.

Try this and see if anything of it makes any sense

Yay, first post.

[dwasifar]

Yay, first post.

And an excellent first post it is.  A good idea and exactly what I need.  I'll try it.  Thanks 

[dwasifar]

It did work, with a couple of small hiccups.  For some reason I had to reboot the device to get Unbound to activate.  And I still see a few outbound stragglers to port 53, but most of the upstream DNS queries are going to 853.

I did have a bit of a time with overrides in Unbound.  I was using Dnsmasq, and I had all my local domains and local hosts set up with overrides so that I'd get the local private subnet address rather than the public one.  I set them up in the Unbound overrides the same as I had had them in Dnsmasq.  The local host queries returned the correct private subnet addresses, but the local domains still resolved to their public IPs.  After fooling around with it I realized I could not use aliases from one domain to another, but I could set up a domain with no hostname and a local IP, and have aliases to that (e.g. dwasifar.com 192.168.1.200, aliases mail.dwasifar.com and www.dwasifar.com).  And that worked.  The Unbound way is actually a lot closer to how actual DNS record setup at a domain host works, so that makes sense.

[koushun]

Great, so it worked? Cool

And the browser check gave you Encrypted DNS as well?

[dwasifar]

And the browser check gave you Encrypted DNS as well?

It did. 

I did some reading up on how DNS over TLS works, and the standard calls for it to fall back to port 53 if there's a problem, so that explains why I was seeing the occasional 1.0.0.1:53 in the log.  With that being an existing connection, I'm not sure if it stays with Cloudflare or is intercepted by Comcast's transparent proxy once it switches to 53, and I don't know how to test for that, but most of what I see in the logs is properly going to Cloudflare on port 853.  Google DNS over TLS on port 853 also seems to work.

Everything on the network either accepts the DNS server offered by DHCP, or has a static IP set up with the gateway IP specified for DNS, so I had no need to implement the suggested NAT port forwarding.  No Windows boxes on this network except for my company-owned laptop, but I used systemd-resolve --flush-caches (instead of ipconfig /flushdns) on my personal laptop and desktop without issue. 

Interestingly, though, I could not get the live log filters to work.  Setting up dst_port = 853 (or 53) gave no live log results at all.  So I just watched the unfiltered log instead.  Sometime later I'll fiddle with that and see what's up.

I suppose I should say why I wanted to do this in the first place.  The ISP's transparent proxy was introducing delays.  I didn't know I was being proxied until I ran namebench to try to find why DNS resolution had become unreliable, and it told me I was being proxied.  A few simple tests confirmed it.  With these changes, DNS resolution is noticeably faster than it was through the ISP proxy.

Many thanks for the suggestion and the guidance.

[SvB4EvA]

Yes. I would suggest DNS over TLS which uses port 853, which will even encrypt your DNS queries.

Check your browser: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/ before you start.
Probably fails on multiple checks? Do not bother with the "Encrypted SNI" for now.

This is how I have done it - atleast how I think I've done it.

System > Settings > General : REMOVE any DNS Server you have listed here. Click Save.

Go to Services > Unbound DNS > General.
* Enable Unbound
* Enable DNSSEC Support

This is from the top of my head, but make sure those things are checked. Listen port should be 53 and you should be listening on all interfaces. Do not worry the WAN etc., everything is blocked by the default firewall rules.

Hm, then go to Miscellaneous under Unbound and add servers which supports TLS. You have to specify the adresse in server@port fashion:

Write 1.1.1.1@853 and press Enter.
Probably add atleast one more, 1.0.0.1@853.

Click Save.

I do not know what platform you are on; Windows? Flush your DNS with CMD: ipconfig /flushdns

Grab a cup of coffee.

Go to Firewall > Log Files > Live View. Click the drop down Menu which says "action". Choose dst_port, remove the text "pass" and write 853 and click the + symbol.

Now as you go to your LAN client and visit websites and ping stuffs, like ping microsoft.com or any other website- you should see traffic gets populated to either one of your DNS servers you have defined under Miscellaneous.

Verify which DNS server you are using with nslookup, "nslookup hltv.org".

Check your browser again? https://www.cloudflare.com/en-gb/ssl/encrypted-sni/


Now. If clients were to not use your OPNsense as a DNS server (they do not honor the DNS Server provided in the DHCP offer), you could do NAT Port forwarding from your LAN interface and redirect every traffic (UDP/TCP) destined for !LAN@53, to be redirected to 127.0.0.1 port 53.

You could check if any traffic is going out, by doing the Live View in the Firewall logs as mentioned above, and change port to 53.

That way, if you have a client which use for instance 8.8.8.8 as a DNS server, you'll redirect this request to your OPNSense Unbound DNS service. And voilà, the upstream DNS which will be 1.1.1.1 serves this request over TLS.

Try this and see if anything of it makes any sense

Yay, first post.

It took quite sometime for me to get this all sorted out, but it is seemingly working well! Thanks for your first post back then, figured I would make this my first post!

Thanks!

[SvB4EvA]

Well, that was odd...