EDIT: So because of my $0 budget and the fact that my uptime is around 50% (PC, no additional servers) I ended up using NextDNS. For the time being it works (according to dnsleaktest), an added benefit was improved ad-blocking (100% in this tool). I now have plans for a proper router in the future with a Pi-hole. Thanks so much for all the info & suggestions, definitely learnt a lot.
So it turns out I got myself into an ISP that was shittier than expected (I already knew it was kinda shitty), they DNS hijack for whatever reason and I can’t manually set my own DNS on my router or even my devices.
Cyber security has never been my forte but I’m always trying to keep learning as I go. I’ve read that common solutions involve using a different port (54) or getting a different modem/router or just adding a router.
Are they all true? Whats the cheapest, easiest way of dealing with all of this?
Change the DNS servers on you devices to a DoT or DoH provider.
The ISP can’t intercept and rewrite your requests if they are in a secure session.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol PiHole Network-wide ad-blocker (DNS sinkhole) SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network
[Thread #56 for this sub, first seen 16th Aug 2023, 18:25] [FAQ] [Full list] [Contact] [Source code]
You missed two that I’d like to know about. DoH and DoT. Thanks, robot!
DNS over HTTPS, DNS over TLS
Thank you, I had to figure it out myself haha.
Good bot.
On modern versions of Windows (and probably other OSes), you can configure it to use DNS over HTTPS with a service like Quad9 or Cloudflare, which will fix this.
To do this across all your devices, even those that don’t support DoH, install AdGuard Home on a home server or Raspberry Pi or your PC if it’s always on. ISPs can’t intercept DoH requests. Then configure your router to set the DNS server to your AdGuard Home server.
Setup a local DNS server in your local network, and configure it to forward everything to an external DNS provider over TLS (port 853 usually). This is known as DNS over TLS (or DoT as other people mentioned).
I personally like https://cyberia.is
If you have the option to use a DNS on a different port, you can take a look at OpenNIC. There are a number of servers available that answer on multiple ports. Development has been stalled for a few years now but we’re still keeping the back-end stuff running. You can find info at https://www.opennic.org/ and https://servers.opennic.org/
Set up your router to use DNS-over-HTTPS if it supports it.
If not you can install Adguard Home somewhere, set your devices to use that for DNS, and set it to use DNS-over-HTTPS for the upstream servers.
Just throwing out a couple of other solutions I didn’t see mentioned for DoH/DoT:
- CoreDNS
- Blocky
Both of those support encryption and allow for DNSBL. If you are wanting to hand out DNS entries over DHCP it may a problem with your ISPs router there. Either replace it, sit one you do control between it and your network, or run DHCP snooping from a switch to restrict it’s DHCP.
This Blocky?
Will keep them in mind, thanks a lot.
Yep, that’s the one. You just set your upstream default to something like tcp-tls:1.1.1.1:853 for DoT (which is what I use anyway).
Good documentation on other features like adblocking,caching,etc: https://0xerr0r.github.io/blocky/v0.21/configuration/
Look into Pi-hole. It’s an easy-to-setup DNS server which can run on a Raspberry Pi (or a Linux desktop/server if you have one.) You can then set your devices’ DNS servers to the local address where the Pi-hole is running. Since it would be running on your local network, any requests to it shouldn’t go through your ISP in the first place. I’d still recommend getting your own router anyways because this kind of ISP fuckery is more common than you’d expect. Plus, your exact configurations follow you anywhere you move. If you do end up getting one, set the local DNS server in the DHCP settings of your router to avoid having to set it on each device.
Doesn’t the RPi still go through the ISP? You’d still have to find a way to bypass their hijacking attempts, just on a different device this time.
Dot or doh will stop the DNS rewrites.
You’d have to use DNS over HTTPS, DNS over TLS, or DNS over QUIC. As far as I know, PiHole doesn’t support these out-of-the-box, so AdGuard Home is a better choice (it’s like PiHole but more powerful).
I know PiHole had plans to implement this though, so maybe they do support it now.
You can do it. I set mine up ages ago. https://docs.pi-hole.net/guides/dns/cloudflared/
It’s not out-of-the-box though, and requires a bunch of manual setup. On AdGuard Home you just need to enter the DNS URL into the UI and that’s it.
Adguard home is a better choice as it supports DoT and DoH, which OP will need to use to be able to bypass their ISPs DNS hijacking.
Pihole only supports unencrypted DNS on port 53 which is what the ISP is targeting.
Using your own router is the best way, I just finished setting up DoH, I am using a router with OpenWRT, so installed https-dns-proxy with luci-app-https-dns-proxy. It has options to hijack DNS so that all local devices will be routed to the router DNS even if they try to use a DNS server directly.
More information can be found here.
deleted by creator
deleted by creator
