Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolution on port 5353

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 6 Posters 10.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      amhagp
      last edited by

      Hi,

      I am using the latest pfsense, and I have an ISP that intercepts dns requests and points them at their own dns servers instead of the ones I choose.

      Unfortunately where I live there is no other viable alternative to this provider if I want to have speeds higher that 1Mb/s.

      I see that opendns can respond on port 5353, and have tested at the command line using nslookup and if I specify server 208.67.222.222 and port 5353 the request isn't intercepted.

      I have been trying to configure pfsense to make dns requests using port 5353 but cant seem to find a way of doing it.

      I have tried a NAT port forward rule;

      LAN UDP * * 208.67.222.222   53 (DNS)   208.67.222.222 5353

      and I have tried the following option in the dns forwarder advanced options;

      server=208.67.222.222#5353

      Neither of which seem to work.

      Does anyone know of a way of doing this?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well for starters I would tell your ISP to stop it..  What they are doing is not nice!

        You don't intercept users traffic, if they wanted to use your dns they would point at it!!

        How are you testing? http://www.dnsleaktest.com/ ?

        That rule would be for your clients that were using 208.67.222.222, normally clients ask pfsense for dns..  So that rule would never come into play.  Are you specifically pointing your clients to that IP for their dns?  Keep in mind that dns can use tcp as well, depending.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • W Offline
          wallabybob
          last edited by

          My reading of the dnsmasq file suggests you should specify your chosen option as```
          server=/208.67.222.222#5353

          
          I presume you will take appropriate steps to restart dnsmasq or otherwise get it to use the new configuration.
          1 Reply Last reply Reply Quote 0
          • A Offline
            amhagp
            last edited by

            wallabybob : tried your suggestion, says invalid custom option, any other ideas?

            johnpoz : ISP is a satellite internet provider and they say its for performance reasons.

            Its a home lan so this more of an intellectual challenge than anything else, just to see what pfsense and I am capable of and to learn something in the process !

            Yes, I am using dnsleaktest.com and it indicates that I am using the satellite providers DNS and that's after trying both 192.168.1.1 (pfsense box) and 208.67.222.222 (opendns) as the dns on a laptop on the LAN.

            From a command prompt on the pfsense box, nslookup -type=txt which.opendns.com
            responds with ;

            Server : 208.67.222.222
            Address: 208.67.222.222#53

            Non-authoritative answer:
            which.opendns.com    text="I am not an OpenDNS resolver."

            From a command prompt on the pfsense box, nslookup -type=txt -port=5353 which.opendns.com (adding port)
            responds with;

            Server: 208.67.222.222
            Address: 208.67.222.222#5353

            Non-authoritative answer:
            which.opendns.com text = "1.cdg"

            Authoritative answers can be found from:

            Which is a response from opendns.  So it works at a command prompt from pfsense, just trying to get pfsense to automate it and I thought a LAN rule port forwarding 53 to 5353, and then pointing the laptops DNS at pfsense would do it…..

            Stopped and started dnsmasq which I assume clears the cache...

            Any more clues anyone??

            1 Reply Last reply Reply Quote 0
            • R Offline
              rhy7s
              last edited by

              I'd also be interested in resolving this issue. When querying port 5353 as in the above post I get:

              $ nslookup -type=txt -port=5353 which.opendns.com
              Server: 208.67.222.222
              Address: 208.67.222.222#5353

              Non-authoritative answer:
              which.opendns.com text = "7.sin"

              Authoritative answers can be found from:

              What would be the appropriate way to specify this port for DNS requests?

              1 Reply Last reply Reply Quote 0
              • G Offline
                gogol
                last edited by

                Wallabybob made a typo

                It should be:

                server=208.67.222.222#5353
                

                Under advanced options in DNS forwarder

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  I also wouldn't put it outside the realm of possibility that an ISP that is idiotic enough to intercept 53 would also intercept 5353.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.