Hacker News new | ask | show | jobs
by denton-scratch 893 days ago
What kind of "place" can redirect a port-53 request to localhost to my ISP's DNS server?

DNS-over-HTTPS is a move in the wrong direction, if you ask me. There aren't many DOH servers, so it concentrates control even more than traditional DNS. But if you are running your own recursive resolver, the only ways to control the results are to control the authoritative servers (nope), or to control the roots (most of them are physically in the USA, and run by corporations, so that's sort-of possible).
2 comments
jagged-chisel 893 days ago
They can't redirect things going to localhost. But how does your local resolver talk other authoritative DNS servers? UDP on port 53. The instant that kind of packet hits your ISP, it's not routed outside their network and is answered by their DNS.

Unless you have DNS-over-HTTPS.

link
denton-scratch 893 days ago
Well, I didn't know they did that. They'd have to use a packet filter to do that; in the normal case, I send my UDP query to the authoritative server via its IP address, and if my ISP doesn't forward the query, then it's not providing internet service, it's simulating it. My resolver respects DNS signing, so I think I'd get errors rightaway if my ISP tried to substitute a forged answer.

My (niche) ISP is rather benevolent; as far as I'm aware they don't block at all, and they brag about providing "real internet service". At any rate, I'm not aware that my recursive resolver has ever encountered an answer that was forged by my ISP.

link
jagged-chisel 893 days ago
> They'd have to use a packet filter to do that

Indeed they would.

> My resolver respects DNS signing…

I’m not honestly certain how big of a hurdle this is. I would figure that if a site is to be blocked, then the ISP substitutes their own “authoritative” response, which would include cryptographic signing details (even pretending their public key is the official one.)

> My (niche) ISP is rather benevolent …

I think most are. In my market, even the big guys haven’t done this, though I have heard about it happening in larger markets when big ISPs are up to no good (like inserting ads or whatever.)

link
rsync 892 days ago
Your local resolver would be configured to use DoT to Connect to whichever upstream server you choose.

This is a two line configuration in unbound and does not require creating and maintaining your own certificates.

9.9.9.9 is free or you can use nextdns as your upstream and get the benefits of a pi-hole in the cloud.

Everyone should do this.

link
LargoLasskhyfv 892 days ago
Or https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

Has the same benefits and works Triple-A-superplusgood.

link
sp332 893 days ago
Do you mean you're running a DNS server locally? Wouldn't the DNS block apply when your local server tried to resolve the name upstream?
link
denton-scratch 893 days ago
I am running a recursive resolver locally. When it resolves a name, "upstream" means the root servers, not some DNS cache such as my ISP offers. A recursive resolver chases the name down the DNS tree to the authoritative server.

To block that, you have to either tamper with the root servers, or get control of the authoritative servers.

link
gkbrk 893 days ago
> To block that, you have to either tamper with the root servers, or get control of the authoritative servers.

I don't think so. The ISP can just reply to the DNS packets itself, without sending them to the root servers. Your local recursive resolver will think the response is from other DNS servers but in fact they would all be from your ISP.

link