ISP DNS HIJACKING

[dave14305]

Maybe your ISP is running Merlin with DNS Filter enabled in Router mode.

 

[TechTinkerer]

84.200.69.80 is https://dns.watch

That's weird never known an isp use something like that i am doing some tinkering with firewall and nat-start scripts with iptables it's all a good learning experience i'm just weary of trying too much and getting face-ached nagged at for it

 

[TechTinkerer]

Maybe your ISP is running Merlin with DNS Filter enabled in Router mode.

Hope not i need them to stay as slightly smarter keyboard monkies!

but, currently their antics are ruining my streaming ventures....

 

[TechTinkerer]

OK, update guys on my investigation.

Merlin acts weird had entries vanishing and reapearing in my firewall-start script, tried firewall-start and a nat-start script - the firewall script keeps it's info on reboot, the nat script does not....

So, now not getting dns intercepted - turned off dnsfilter and it reports correctly, but if the dnsfilter is needed to filter specific devices like naughty kiddies\adults just use a vpn for streaming to keep the functionality of dnsfiter, but finding a vpn that is fast and works on all streaming services is a challenge.

 

[muffintastic]

OK, update guys on my investigation.

Merlin acts weird had entries vanishing and reapearing in my firewall-start script, tried firewall-start and a nat-start script - the firewall script keeps it's info on reboot, the nat script does not....

So, now not getting dns intercepted - turned off dnsfilter and it reports correctly, but if the dnsfilter is needed to filter specific devices like naughty kiddies\adults just use a vpn for streaming to keep the functionality of dnsfiter, but finding a vpn that is fast and works on all streaming services is a challenge.

1.1.1.3 - Blocks adult content plus dodgy software sites, you can specify this in the LAN DHCP settings. Try adding your phone, then in the DNS option use that i have specified then try an adult site, it should block it.

UPDATE: With my advanced setup using Dns over TLS, i have set my laptop in the DHCP server reservation and used 1.1.1.3 and it works, filtered the adult content.

 

[TechTinkerer]

1.1.1.3 - Blocks adult content plus dodgy software sites, you can specify this in the LAN DHCP settings. Try adding your phone, then in the DNS option use that i have specified then try an adult site, it should block it.

UPDATE: With my advanced setup using Dns over TLS, i have set my laptop in the DHCP server reservation and used 1.1.1.3 and it works, filtered the adult content.

Is that set in the dns\wins server settings in dhcp or is that set in dhcp reservation?

 

[muffintastic]

Is that set in the dns\wins server settings in dhcp or is that set in dhcp reservation?

dhcp reservation, when you add a client to use a static local IP using their MAC address. It says "DNS Server (Optional)"

So, go to LAN > DHCP Server > Manually Assigned IP around the DHCP list (Max Limit : 128) (Scroll Down) and make sure "Manual Assignment" is enabled above it, find your phone or laptop MAC, give it a static IP then add the 1.1.1.3 in DNS Server (Optional) then press the plus icon to add then press apply. Then aeroplane mode your device or reboot to get the new local IP and custom DNS server. Then try an adult site, it should return an DNS can't be probed error.

Then try an adult site, it should return a DNS probe error. This means it's blocked.

 

[RMerlin]

Simplest way to bypass an ISP that does DNS filtering is to switch to DNS-over-TLS. It's encrypted and it uses a different port than 53, so the ISP won't be able to interfere.

 

[TechTinkerer]

Simplest way to bypass an ISP that does DNS filtering is to switch to DNS-over-TLS. It's encrypted and it uses a different port than 53, so the ISP won't be able to interfere.

Thanks Merlin, won't be the best if using a smartdns service for streaming and they don't support DOT etc otherwise great to have that protection

 

[TechTinkerer]

1.1.1.3 - Blocks adult content plus dodgy software sites, you can specify this in the LAN DHCP settings. Try adding your phone, then in the DNS option use that i have specified then try an adult site, it should block it.

UPDATE: With my advanced setup using Dns over TLS, i have set my laptop in the DHCP server reservation and used 1.1.1.3 and it works, filtered the adult content.

Nowt dodgy about free software sites as long as things are checked...virustotal etc

 

[TechTinkerer]

@Xentrk going for torguard with 2xIP's good price if the service ain't cr@p

 

[Alfsu]

I've got around this issue in the past by switching to the smartdns provider alternate DNS port, at least the one I use had it.
Instead of pointing DNS to port 53 you have to modify the iptables to the alternate port your provider may (or may not) have.

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 23.21.43.50:1512
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 54.229.171.243:1512
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 23.21.43.50:1512
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 54.229.171.243:1512

In the code above the router will re-direct DNS calls to port 1512. A nat-start custom script can be used for this purpose, and you must replace the IP addresses shown here with the DNS server IPs of your smardns provider.

 

[distilled]

Maybe your ISP is running Merlin with DNS Filter enabled in Router mode.

That new Merlin port for the CRS-1...

 

[TechTinkerer]

I've got around this issue in the past by switching to the smartdns provider alternate DNS port, at least the one I use had it.
Instead of pointing DNS to port 53 you have to modify the iptables to the alternate port your provider may (or may not) have.

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 23.21.43.50:1512
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 54.229.171.243:1512
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 23.21.43.50:1512
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 54.229.171.243:1512

In the code above the router will re-direct DNS calls to port 1512. A nat-start custom script can be used for this purpose, and you must replace the IP addresses shown here with the DNS server IPs of your smardns provider.

I tried this as well except i had mine in firewall-start as nat-start always lost it's contents on reboot...got sick of the whole thing and stumpedup for dedicated ip's to get around the issues, plus if i need to do filtering per device i can chose to do that now....as before i was getting traffic hijackied when attempting use of smartdns when dnsfilter was on

 

[TechTinkerer]

Hey guys, update: I don't know what it is with cloudflare servers..1.0.0.1, 1.1.1.1 but if they are set in WAN DNS it gives me limited to no connectivity and stops the vpn client working, but when i used Quad9 in DOT everything worked including vpn.

On this note i'm staying away from cloudflare and watch-dns for dns very unstable and lucky if you have things completely working.

 

[Zonkd]

1.1.1.3 - Blocks adult content plus dodgy software sites, you can specify this in the LAN DHCP settings. Try adding your phone, then in the DNS option use that i have specified then try an adult site, it should block it.

UPDATE: With my advanced setup using Dns over TLS, i have set my laptop in the DHCP server reservation and used 1.1.1.3 and it works, filtered the adult content.

Apparently DOT is only available for main servers ( 1.1.1.1 and 1.0.0.1 ), not supported yet for the family filtering servers (1.1.1.2 and 1.1.1.3). Can someone check this?

 

[netware5]

Hey guys, update: I don't know what it is with cloudflare servers..1.0.0.1, 1.1.1.1 but if they are set in WAN DNS it gives me limited to no connectivity and stops the vpn client working, but when i used Quad9 in DOT everything worked including vpn.

On this note i'm staying away from cloudflare and watch-dns for dns very unstable and lucky if you have things completely working.

Recently I've had similar problems with main Cloudflare servers and switched to Quad9. But unfortunately the 9.9.9.9 filters some domains msitakenly flagged as "malicous" or "not secure", so finally I landed to Unbound

 

[Treadler]

Apparently DOT is only available for main servers ( 1.1.1.1 and 1.0.0.1 ), not supported yet for the family filtering servers (1.1.1.2 and 1.1.1.3). Can someone check this?

I think that’s correct.
Cloudflare yet to enable DoT on the new ‘families’ servers.

 

[TechTinkerer]

Recently I've had similar problems with main Cloudflare servers and switched to Quad9. But unfortunately the 9.9.9.9 filters some domains msitakenly flagged as "malicous" or "not secure", so finally I landed to Unbound

need your help as was looking at a guide on pihole to setup recursive dns using unbound, one bit is confusing me

# Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10

Are these personal private networks?

can you help me with this as just purchased a rpi4-4GB, going dietpi etc with xcfe i think

 

[ColinTaylor]

@TechTinkerer https://en.wikipedia.org/wiki/Private_network