[bazzargh]

I'm in the UK; my ISP hijacks dns requests on port 53 so nope, none of that works. They're not alone doing this https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_... For the most part this is not noticeable; but addresses to a bunch of my _work_ stuff don't resolve on whatever hacky dns replacement they offer, if I'm not on the work vpn.

They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.

If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.

Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward

[SoftTalker]

Comcast/Xfinity does that in the USA, at least if you use the newer modem/routers that they provide. If you use your own router you can still set your own DNS provider. DoH is a workaround for web browsing.

[Joel_Mckay]

The UK government IPs show up on our ban lists often for illegal theft of service, and CVE scans. Have you tried a Bind9 relay with iodine/vpn tunnels for local transparent network traversal across the hostile sandbox?

i.e. obfuscate the traffic using the hijacking DNS servers themselves.

Just a thought =3

[ekianjo]

what do you mean they hijack the port 53? this is a local setting on your OS. they cant hijack the DNS call if you set it to something else.

[bazzargh]

the isp blocks/redirects the traffic outside my network. so if you just try to send normal udp/tcp port 53 externally, it won't get there. This is why I mention a pihole; by setting my dns server to something on my local network and then having that use DoH I can get past the block. I can't configure every device to use eg DoT or DoH directly, but I usually can configure their port 53 nameserver, directly or via DHCP

the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.

[ekianjo]

port 53 requests are not limited to external requests. thats what I was implying in my comment.

[chgs]

I configure my router to divert all UDP/53 to my pi hole. The advertising industry hates this type of behaviour, but it means ever an IoT device using hard coded dns (rather than what I tell them from my dhcp or nd settings)

This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.

[inkyoto]

They absolutely can and some do. The destination UDP port number of a UDP packet traversing the core network of an ISP can be inspected and acted upon as one pleases.

[Joel_Mckay]

Unless it is tunneled over an binary obfuscation layer, and wrapped in a purposely weakened cryptography to booby-trap their parser.

There is also the global satellite uplinks... so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3

[ekianjo]

my point is you can point a call to 53 on a machine on your own network and you isp cant do shit about that

[inkyoto]

Very well. You have pointed your DNS resolver to a host on your local network for the DNS name resolution.

When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?

[PhilipRoman]

They can do anything unless constrained by cryptography. I assume it just means redirecting all port 53 traffic which 99% of time will be DNS regardless of IP.

[chgs]

Why don’t you change ISP?

You choose an isp with those features that’s on you. It’s not like the UK is a backwards country with a monopoly of one or two ISPs for a given location.

[bazzargh]

I had just switched to this one when I discovered the problem, so was under contract for the next couple of years, and it's not like they advertise this as a feature where you'd have made that choice beforehand. Also, I didn't just need "an ISP" I needed a high speed connection and at the time my previous provider said they didn't offer that to existing customers, while the handful of others appeared to only offer 1/10 of the speed I wanted or only offered it bundled with tv/sport packages (I don't watch tv)

Since then City Fibre completed their rollout and I'm no longer an existing customer with BT so now I _do_ have a choice.

But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don't have a choice.

[Joel_Mckay]

If you need decent speed, than could also try this:

https://www.stunnel.org/downloads.html

with the optional:

https://github.com/bfix/Tor-DNS.git

or go with the more modern:

https://github.com/erebe/wstunnel

Best regards, =3

[glitchcrab]

Out of interest, which ISP do you use?

[bazzargh]

Virgin Media. At the time I switched I needed more bandwidth for work - dealing with multi-gigabyte blobs all day; I was with BT, but BT wouldn't let me upgrade to a gigabit fibre connection, and the City Fibre network which is now everywhere wasn't yet in my street.

[pixelpanic360]

You can go to VM dashboard to disable the adult content filtering. It will then not block DoT and DoH.

[Joel_Mckay]

Many ISP will also auto-redirect un-allocated domain names to their own websites. Others will ban most inbound connections with a port under 1000 to prevent self-hosting/video-surveillance users.

Annoying if you are trying to bring up a remote domain server, and thinking WTF while checking things out in dig. lol =)