Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
How to bypass ISP hijacking DNS
« previous
next »
Print
Pages: [
1
]
Author
Topic: How to bypass ISP hijacking DNS (Read 5842 times)
Nnyan
Jr. Member
Posts: 91
Karma: 8
How to bypass ISP hijacking DNS
«
on:
April 04, 2021, 07:40:44 am »
Hello,
I"m not exactly sure if this is the best forum but I just recently moved from Comcast to AT&T gigabit service (1000/1000 vs 1000/50) and while I can put the AT&T gateway into a close approximation of bridge mode (took a while to get rid of the double NAT issue). I can't seem to figure out how to stop AT&T from using the gateway DNS. I've been checking but doing a nslookup for a fake domain. AT&T answers back with a non-authoritative fake IP.
I've tried unbound, DNSmasq and DNSCrypt-Proxy to no avail (unless I'm just missing a specific setup). Not sure if this is even possible but I thought I would ask here.
Thank you!
Logged
phoenix
Hero Member
Posts: 545
Karma: 58
Re: How to bypass ISP hijacking DNS
«
Reply #1 on:
April 04, 2021, 08:37:46 am »
Your ISP can't 'hijack' your DNS unless you're using their DNS servers. In the OPNsense UI you can set the DNS servers in Settings/General/Networking. I use my LAN DNS servers in that setting and have no problems, what do you have for that setting?
Logged
Regards
Bill
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: How to bypass ISP hijacking DNS
«
Reply #2 on:
April 04, 2021, 09:35:17 am »
Well, an ISP
can
intercept traffic on port 53, and redirect to their own DNS servers. Has been known to happen. Using DoT or DoH might be the solution to that.
Logged
phoenix
Hero Member
Posts: 545
Karma: 58
Re: How to bypass ISP hijacking DNS
«
Reply #3 on:
April 04, 2021, 09:50:53 am »
Yes, I know that it can and that's why I put it in single quotes and I didn't want to expand that to further secure features until we'd got some information about what setting were being used for the DNS.
Logged
Regards
Bill
Nnyan
Jr. Member
Posts: 91
Karma: 8
Re: How to bypass ISP hijacking DNS
«
Reply #4 on:
April 04, 2021, 11:00:55 pm »
I should have been a bit more specific. I'm aware that OPNsense can define the DNS you would like to use. I have done it from System > Settings > General > Networking > DNS Servers (ex: 1.1.1.1. and 1.0.0.1) and from Services > DHCPv4 > LAN > DNS Servers (just in case it worked here).
As Greelan stated if I just use the default settings (as above) my ISP will redirect all DNS to their own. I have always checked this by a simple nslookup or dig to a made-up TLD (ex: nslookup ijustmadethisup.tld). If my preferred DNS (1.1.1.1, 8.8.8.8, 9.9.9.9, whatever) was actually being used then I would get a non-existent domain error. But when my ISP hijacks/redirects DNS I actually get a non-authoritative answer with an ISP IP addy.
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: How to bypass ISP hijacking DNS
«
Reply #5 on:
April 04, 2021, 11:07:59 pm »
@Nnyan that sucks and ISPs should be sued for implementing practices like this. Around here (Germany) it is not that common (because GDPR) and precisely for that reason, I'd trust my local ISP (Deutsche Telekom) to a way greater extent than Google or Cloudflare. Yes, Telekom has been guilty of this, too. But that's past. Because GDPR.
That being said, I would never use on of those "Internet giants" servers as my upstream. If you are really concerned about your privacy, why not get a small cloud VM, e.g. at Digital Ocean, and use that as an upstream DNS server?
Kind regards,
Patrick
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Nnyan
Jr. Member
Posts: 91
Karma: 8
Re: How to bypass ISP hijacking DNS
«
Reply #6 on:
April 05, 2021, 01:23:51 am »
The DNS IP's were really for example. I do have a DNS running on a VPS but that doesn't help me b/c I'm in the same pickle since AT&T will hijack the DNS no matter where I'm sending it.
I have been going through a number of guides and after 5-6 tries I found this one:
https://sahlitech.com/opnsense-setup-unbound-dns/
I followed that and I have no clue why but now I'm able to use the DNS of my choice and my ISP is not hijacking it! I get the correct reply to made-up domains. I'm curious (just for my edification) why this method of setting up unbound worked where just selecting my own DNS in the settings did not.
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: How to bypass ISP hijacking DNS
«
Reply #7 on:
April 05, 2021, 01:31:32 am »
Because it uses DoT, as I mentioned above as a solution. It is encrypted and on a different port. The ISP can’t successfully redirect it without breaking DNS entirely as they can’t decrypt the packets
Logged
Nnyan
Jr. Member
Posts: 91
Karma: 8
Re: How to bypass ISP hijacking DNS
«
Reply #8 on:
April 05, 2021, 07:58:44 pm »
fair enough, I didn't understand how it was enabling DoT (I'll go over the instructions again). Is that the best/proper way to enable DoT or is there a better way? I had done the DNSCrypt guide (
https://forum.opnsense.org/index.php?topic=10670.0
) but that did not work (as far as my ISP) and it ended up breaking a number of my kids streaming services (Could not connect to Hulu, etc..., streaming devices kept giving notice that the internet was down every few mins even though it wasn't).
Anyway, I appreciate your time and assistance!
«
Last Edit: April 05, 2021, 08:13:43 pm by Nnyan
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
How to bypass ISP hijacking DNS