Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upstream DNS on non-standard port

    Scheduled Pinned Locked Moved DHCP and DNS
    11 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      loonylion
      last edited by

      Hi, is it possible to set a non standard port for the upstream DNS servers in system -> general setup?

      I ask because it appears my ISP have started intercepting DNS requests and forcing them to be resolved by their servers masquerading as my chosen DNS. This means my internet goes to hell on a regular basis because their crappy DNS servers can't handle the number of queries resulting from all their customers being forced to use them. (their customer base is by and large quite technical, so in all likelihood only a minority of their customers were actually using ISP DNS prior to this stunt)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So is this upstream dns your going to be forwarding too listening on another port??

        The correct answer to an ISP doing dns interception would be to find a new ISP.. Simple phone call or email to the isp stating that if you do not stop such an non ethical practice you will be moving to an ISP that does not do that..

        Simple solution would be to just use a vpn and send your dns queries be forwarding or resolving via the vpn.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • L
          loonylion
          last edited by

          changing ISP is not an option at present, and they don't give a toss if you complain. OpenNIC does have some DNS servers that listen on other ports that I would be able to use, and I would rather not incur the extra latency penalty of using a VPN.

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            What about using DNS resolver with DNSSEC?  Would that prevent an ISP from intercepting and impersonating upstream DNS servers?

            Well now that I thought about it for a few more seconds.  I guess it could only do that for domains whose authoritative DNS server also supports DNSSEC.

            Are there any DNSSEC enabled public DNS caching servers out there?  If so, maybe try those with DNS Resolver in forwarding mode.  A quick search indicates that Googles public DNS servers are DNSSEC enabled.

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              Hi, is it possible to set a non standard port for the upstream DNS servers in system

              Is there such a thing as a DNS server on a non-standard port?  That would break a lot of things.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • L
                loonylion
                last edited by

                @JKnott:

                Hi, is it possible to set a non standard port for the upstream DNS servers in system

                Is there such a thing as a DNS server on a non-standard port?  That would break a lot of things.

                Yes, it can run on any port its configured to run on.

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  I have never seen a setting on a computer that would allow it to use a non=standard DNS port.  You just configure the IP address and that's it.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOYB
                    last edited by

                    @JKnott:

                    I have never seen a setting on a computer that would allow it to use a non=standard DNS port.  You just configure the IP address and that's it.

                    One could probably NAT or poxy it to change the port.

                    So for instance if pfSense was configured use DNS server xyz and the DNS forwarder could be configured to make upstream DNS request on port 5353.  Then everything using pfSense for DNS would be covered.

                    Or similar if NAT'ed or proxied to port 5353.

                    But before going down complexity boulevard I think something simpler should be tried.  Like using Google DNS servers (8.8.8.8 & 8.8.4.4) with the pfSense resolver in forwarding mode and DNSSEC enabled.  Just might get lucky.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      why would you think that dns hijacking would be stopped by dnssec?  Its still port 53 and not encrypted in anyway.  It results are just signed so your sure that is what the info you get back is indeed what the authoritative server is putting out there.

                      If your wanting to encrypt dns your thinking of dnscrypt.. Or just sending your dns through a vpn tunnel.  Not sure why you think the latency of sending your dns queries only through a vpn would cause much of an issue.. So freaking what if it takes a couple extra ms to resolve something..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by

                        Probably the word security confused me.  :-[

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Domain Name System Security Extensions, ie dnssec is.. provides "origin authority, data integrity, and authenticated denial of existence"

                          Which I said in simpler terms before..
                          "your sure that is what the info you get back is indeed what the authoritative server is putting out there."

                          It's primary purpose is protecting against spoofing attacks..

                          If the OP isp is actually hijacking dns.. The best solution is to BITCH AND BITCH AND BITCH to them.. If its the only isp in the area then move ;)  Out of the box pfsense is going to run resolver with dnssec enabled.. If this is not working because of shitty isp then simple work around is have your resolver (unbound) use a vpn connection you setup on pfsense.  This can be cheap via a vps for like $15 year.. Or if you have a buddy who isp doesn't hijack - setup a vpn to this place and run your dns queries through there..

                          Or use dnscrypt which is going to default over 443 (ssl/tls port) so yeah your isp shouldn't be messing with that.  Problem is this is going to be forwarder, not resolver.  So your just going to have to trust the info you get back is not spoofed.. I do not think there is a dnscrypt package in pfsense, I do recall multiple threads about it..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.