Upstream DNS on non-standard port
-
So is this upstream dns your going to be forwarding too listening on another port??
The correct answer to an ISP doing dns interception would be to find a new ISP.. Simple phone call or email to the isp stating that if you do not stop such an non ethical practice you will be moving to an ISP that does not do that..
Simple solution would be to just use a vpn and send your dns queries be forwarding or resolving via the vpn.
-
changing ISP is not an option at present, and they don't give a toss if you complain. OpenNIC does have some DNS servers that listen on other ports that I would be able to use, and I would rather not incur the extra latency penalty of using a VPN.
-
What about using DNS resolver with DNSSEC? Would that prevent an ISP from intercepting and impersonating upstream DNS servers?
Well now that I thought about it for a few more seconds. I guess it could only do that for domains whose authoritative DNS server also supports DNSSEC.
Are there any DNSSEC enabled public DNS caching servers out there? If so, maybe try those with DNS Resolver in forwarding mode. A quick search indicates that Googles public DNS servers are DNSSEC enabled.
-
Hi, is it possible to set a non standard port for the upstream DNS servers in system
Is there such a thing as a DNS server on a non-standard port? That would break a lot of things.
-
Hi, is it possible to set a non standard port for the upstream DNS servers in system
Is there such a thing as a DNS server on a non-standard port? That would break a lot of things.
Yes, it can run on any port its configured to run on.
-
I have never seen a setting on a computer that would allow it to use a non=standard DNS port. You just configure the IP address and that's it.
-
I have never seen a setting on a computer that would allow it to use a non=standard DNS port. You just configure the IP address and that's it.
One could probably NAT or poxy it to change the port.
So for instance if pfSense was configured use DNS server xyz and the DNS forwarder could be configured to make upstream DNS request on port 5353. Then everything using pfSense for DNS would be covered.
Or similar if NAT'ed or proxied to port 5353.
But before going down complexity boulevard I think something simpler should be tried. Like using Google DNS servers (8.8.8.8 & 8.8.4.4) with the pfSense resolver in forwarding mode and DNSSEC enabled. Just might get lucky.
-
why would you think that dns hijacking would be stopped by dnssec? Its still port 53 and not encrypted in anyway. It results are just signed so your sure that is what the info you get back is indeed what the authoritative server is putting out there.
If your wanting to encrypt dns your thinking of dnscrypt.. Or just sending your dns through a vpn tunnel. Not sure why you think the latency of sending your dns queries only through a vpn would cause much of an issue.. So freaking what if it takes a couple extra ms to resolve something..
-
Probably the word security confused me. :-[
-
Domain Name System Security Extensions, ie dnssec is.. provides "origin authority, data integrity, and authenticated denial of existence"
Which I said in simpler terms before..
"your sure that is what the info you get back is indeed what the authoritative server is putting out there."It's primary purpose is protecting against spoofing attacks..
If the OP isp is actually hijacking dns.. The best solution is to BITCH AND BITCH AND BITCH to them.. If its the only isp in the area then move ;) Out of the box pfsense is going to run resolver with dnssec enabled.. If this is not working because of shitty isp then simple work around is have your resolver (unbound) use a vpn connection you setup on pfsense. This can be cheap via a vps for like $15 year.. Or if you have a buddy who isp doesn't hijack - setup a vpn to this place and run your dns queries through there..
Or use dnscrypt which is going to default over 443 (ssl/tls port) so yeah your isp shouldn't be messing with that. Problem is this is going to be forwarder, not resolver. So your just going to have to trust the info you get back is not spoofed.. I do not think there is a dnscrypt package in pfsense, I do recall multiple threads about it..
