Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS irrelevant with ATT Fiber?

    DHCP and DNS
    4
    12
    954
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 3
      3Dogs last edited by

      I have ATT Fiber (Pace PLC 5268AC router), which does not allow bridge mode, but a pinhole DMZ+ (to pfSense). I have an alternate DNS specified in PFSense, but imo, I believe it is just being ignored by ATT and they override this to force us to use their DNS. The reason I say this is when I try to access a page that throws a DNS Error, I am redirected to the ATT redirect.

      Are my assumptions correct and it would not matter what I put in for DNS in pfSense?

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        How would we know what AT&T is doing? Run a DNS Leak test and see if it's reporting your ISP's DNS or what you specify. Is your WAN set by DHCP? If so, make sure you have WAN set to block DNS Server overrides in General setup.

        https://www.dnsleaktest.com/

        http://dnsleak.com/

        https://ipleak.net/

        3 1 Reply Last reply Reply Quote 0
        • 3
          3Dogs last edited by

          @kom said in DNS irrelevant with ATT Fiber?:

          How would we know what AT&T is doing? Run a DNS Leak test and see if it's reporting your ISP's DNS or what you specify. Is your WAN set by DHCP? If so, make sure you have WAN set to block DNS Server overrides in General setup.

          https://www.dnsleaktest.com/

          http://dnsleak.com/

          https://ipleak.net/

          The tests all show ATT:

          Hostname: tukgav3dnsr77.infra.aic.att.net
          ISP: AT&T Services

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            You could try calling them and yelling at them to stop intercepting your DNS. I doubt they will listen since ISPs realized they could monetize DNS by injecting ads in nxdomain replies, for example.

            Perhaps try forcing DNS over TLS to get around AT&T?

            https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

            3 2 Replies Last reply Reply Quote 0
            • 3
              3Dogs @KOM last edited by

              @kom said in DNS irrelevant with ATT Fiber?:

              How would we know what AT&T is doing? Run a DNS Leak test and see if it's reporting your ISP's DNS or what you specify. Is your WAN set by DHCP? If so, make sure you have WAN set to block DNS Server overrides in General setup.

              https://www.dnsleaktest.com/

              http://dnsleak.com/

              https://ipleak.net/

              In my General Setup, I have both boxes for DNS Server Override and Disable DNS Forwarder as unchecked

              1 Reply Last reply Reply Quote 0
              • 3
                3Dogs @KOM last edited by

                @kom said in DNS irrelevant with ATT Fiber?:

                ou could try calling them and yelling at them to stop intercepting your DNS. I doubt they will listen since ISPs realized they could monetize DNS by injecting ads in nxdomain replies, for example.
                Perhaps try forcing DNS over TLS to get around AT&T?

                I had bookmarked a similar article regarding using TLS... as I thought that might be a workaround. Guess I will give that a go

                1 Reply Last reply Reply Quote 0
                • 3
                  3Dogs @KOM last edited by

                  @kom

                  well.. that was simple. It looks to have worked! Is there any speed difference going over TLS?

                  res300.atl.rrdns.pch.net Cloudflare

                  A 1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    Not that I know of. Have you noticed any delays when doing a lookup?

                    3 1 Reply Last reply Reply Quote 0
                    • 3
                      3Dogs @KOM last edited by

                      @kom

                      Initially Cloudflare seemed faster than ATT.. then I switched to Quad9 as I was interested in their additional (I believe) security.. and that seemed slower (and actually didn't resolve initially). I think I will have to use one for a while to see if I will chose speed over the additional security

                      1 Reply Last reply Reply Quote 0
                      • A
                        Alex Atkin UK @3Dogs last edited by Alex Atkin UK

                        @3dogs said in DNS irrelevant with ATT Fiber?:

                        @kom

                        well.. that was simple. It looks to have worked! Is there any speed difference going over TLS?

                        res300.atl.rrdns.pch.net Cloudflare

                        It seems fractionally slower to me for first lookup, but as pfSense will be caching responses anyway its not a major issue and WAY more secure as your ISP cannot snoop on what DNS lookups are being done.

                        There is one catch though, any device not using pfSense for DNS (Google love to do this on Android devices) will still be picked up by your ISP unless you add a firewall rule to force all DNS via pfSense (basically what your ISP is doing). https://www.netgate.com/docs/pfsense/dns/blocking-dns-queries-to-external-resolvers.html

                        1 Reply Last reply Reply Quote 0
                        • virgiliomi
                          virgiliomi last edited by virgiliomi

                          Just a note that you can even simplify what they did in that article... they created two rules, one to allow DNS to your pfSense router, then one to block all others... it could be done in one rule, using most of the block all others settings, but instead of the destination being *, make the destination be "not LAN Interface" (check the box to invert, then select "LAN Interface" as the destination). This would allow DNS queries to your pfSense LAN interface, but anything else would be blocked.

                          Note that Reject might result in faster failover than block, as pfSense will send a message back that the connection is rejected, rather than the device needing to time out.

                          If you have multiple interfaces you want this applied to, you could create a floating rule using "This Firewall" instead of "LAN Interface" and select the interfaces you want it applied to in the rule. Floating rules are processed before interface-specific rules.

                          0_1532778521014_reject-dns.PNG

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            Alex Atkin UK @virgiliomi last edited by

                            @virgiliomi Right, its how I did it actually using a different guide - that was just the first one that came up from a search.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense Plus
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy