DNS resolution on port 5353



  • Hi,

    I am using the latest pfsense, and I have an ISP that intercepts dns requests and points them at their own dns servers instead of the ones I choose.

    Unfortunately where I live there is no other viable alternative to this provider if I want to have speeds higher that 1Mb/s.

    I see that opendns can respond on port 5353, and have tested at the command line using nslookup and if I specify server 208.67.222.222 and port 5353 the request isn't intercepted.

    I have been trying to configure pfsense to make dns requests using port 5353 but cant seem to find a way of doing it.

    I have tried a NAT port forward rule;

    LAN UDP * * 208.67.222.222   53 (DNS)   208.67.222.222 5353

    and I have tried the following option in the dns forwarder advanced options;

    server=208.67.222.222#5353

    Neither of which seem to work.

    Does anyone know of a way of doing this?


  • LAYER 8 Global Moderator

    Well for starters I would tell your ISP to stop it..  What they are doing is not nice!

    You don't intercept users traffic, if they wanted to use your dns they would point at it!!

    How are you testing? http://www.dnsleaktest.com/ ?

    That rule would be for your clients that were using 208.67.222.222, normally clients ask pfsense for dns..  So that rule would never come into play.  Are you specifically pointing your clients to that IP for their dns?  Keep in mind that dns can use tcp as well, depending.



  • My reading of the dnsmasq file suggests you should specify your chosen option as```
    server=/208.67.222.222#5353

    
    I presume you will take appropriate steps to restart dnsmasq or otherwise get it to use the new configuration.


  • wallabybob : tried your suggestion, says invalid custom option, any other ideas?

    johnpoz : ISP is a satellite internet provider and they say its for performance reasons.

    Its a home lan so this more of an intellectual challenge than anything else, just to see what pfsense and I am capable of and to learn something in the process !

    Yes, I am using dnsleaktest.com and it indicates that I am using the satellite providers DNS and that's after trying both 192.168.1.1 (pfsense box) and 208.67.222.222 (opendns) as the dns on a laptop on the LAN.

    From a command prompt on the pfsense box, nslookup -type=txt which.opendns.com
    responds with ;

    Server : 208.67.222.222
    Address: 208.67.222.222#53

    Non-authoritative answer:
    which.opendns.com    text="I am not an OpenDNS resolver."

    From a command prompt on the pfsense box, nslookup -type=txt -port=5353 which.opendns.com (adding port)
    responds with;

    Server: 208.67.222.222
    Address: 208.67.222.222#5353

    Non-authoritative answer:
    which.opendns.com text = "1.cdg"

    Authoritative answers can be found from:

    Which is a response from opendns.  So it works at a command prompt from pfsense, just trying to get pfsense to automate it and I thought a LAN rule port forwarding 53 to 5353, and then pointing the laptops DNS at pfsense would do it…..

    Stopped and started dnsmasq which I assume clears the cache...

    Any more clues anyone??



  • I'd also be interested in resolving this issue. When querying port 5353 as in the above post I get:

    $ nslookup -type=txt -port=5353 which.opendns.com
    Server: 208.67.222.222
    Address: 208.67.222.222#5353

    Non-authoritative answer:
    which.opendns.com text = "7.sin"

    Authoritative answers can be found from:

    What would be the appropriate way to specify this port for DNS requests?



  • Wallabybob made a typo

    It should be:

    server=208.67.222.222#5353
    

    Under advanced options in DNS forwarder



  • I also wouldn't put it outside the realm of possibility that an ISP that is idiotic enough to intercept 53 would also intercept 5353.


Log in to reply