DNSmasq settings to bypass ISP DNS

2,022 views
Skip to first unread message

Bink

unread,
May 17, 2012, 11:47:43 AM5/17/12
to al...@googlegroups.com
Here in Thailand, the ISPs run transparent/selective proxies and hijack DNS regardless of settings on client or on router. Played around with dnsmasq for a while and although DHCP was simple to get going, I am not sure about the exact syntax and location for putting my desired DNS servers. I googled around for a bit and thought that it was either:

#/etc/dnsmasq-resolv
nameserver xxx.xxx.xx.xx

or 

#/etc/dnsmasq-resolv
server=xxx.xxx.xx.xx

Unfortunately, these don't seem to do the trick, because when I open resolve.conf the servers are added but are commented out and the default 127.0.0.1 is active. Obviously I am not understanding something quite basic. If anyone can give me a hint, it would be much appreciated. 

Joao Cardoso

unread,
May 17, 2012, 12:03:39 PM5/17/12
to al...@googlegroups.com


On Thursday, May 17, 2012 4:47:43 PM UTC+1, Bink wrote:
Here in Thailand, the ISPs run transparent/selective proxies and hijack DNS regardless of settings on client or on router. Played around with dnsmasq for a while and although DHCP was simple to get going, I am not sure about the exact syntax and location for putting my desired DNS servers. I googled around for a bit and thought that it was either:

#/etc/dnsmasq-resolv
nameserver xxx.xxx.xx.xx

or 

#/etc/dnsmasq-resolv
server=xxx.xxx.xx.xx

Unfortunately, these don't seem to do the trick, because when I open resolve.conf the servers are added but are commented out and the default 127.0.0.1 is active.

dnsmask works as a forward name server, i.e., it forwards requests made to him to the configured (for him) name servers.
As such, /etc/resolv.conf says that a local dns server (dnsmasq) is available locally -- 127.0.0.1 -- and all queries are automatically made to him.

Alt-F does this for you when dnsmasq is started (it copy /etc/resolv.conf to /etc/dnsmasq-resolv, comments the entries in /etc/resolv.conf and adds the to it the local dnsserver, 127.0.0.1

dnsmask resolves local queries by either looking at at his own leases or at /etc/hosts

Does this uncovers your question?

Bink

unread,
May 17, 2012, 12:48:06 PM5/17/12
to al...@googlegroups.com
Thanks for the incredibly speedy response. That makes sense. I guess I had it backwards. (I had thought that dnsmasq-resolv copied to resolve.config.)

If I understand you, I should simply add my preferred DNS server address to resolve.config. 

Like this?

#/etc/resolve.config
server xxx.xxx.xx.xx

Also - can a specific port be specified? Internet access is now working, but I think I'm still getting hijacked. About to clear cache and restart client (mac) machine to eliminate a possible problem there.

Thanks,

Brady


Joao Cardoso

unread,
May 17, 2012, 2:38:12 PM5/17/12
to al...@googlegroups.com


On Thursday, May 17, 2012 5:48:06 PM UTC+1, Bink wrote:
Thanks for the incredibly speedy response. That makes sense. I guess I had it backwards. (I had thought that dnsmasq-resolv copied to resolve.config.)

If I understand you, I should simply add my preferred DNS server address to resolve.config. 

Like this?

#/etc/resolve.config
server xxx.xxx.xx.xx


No, "nameserver xxx".

Why don't you use the Setup->Host web page? And the Services->Network->dnsmasq->Configure web page? Things should happen automagically!


Also - can a specific port be specified?

I don't think so, not sure, but the dns service runs on a well known port -- you have to search if dnsmasq accepts a port number, and in *that* case you will have to hand-edit configuration files.
 
Internet access is now working, but I think I'm still getting hijacked.

Enable dns logs in dnsmasq from where it receives replies. Again, use its web page to enable logs, and look at System->Utilities->System log, (or 'logread from the command line -- I'm not sure if dnsmasq logs to its own file or uses syslog), 

Bink

unread,
May 18, 2012, 8:19:05 AM5/18/12
to al...@googlegroups.com
Ok great. I only started messing with the config files, because I knew that I might need to specify a port. Apparently this can be done:

-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using random ports. NOTE that using this option will make dnsmasq less secure against DNS spoofing attacks but it may be faster and use less resources. Setting this option to zero makes dnsmasq use a single port allocated to it by the OS: this was the default behaviour in versions prior to 2.43.

I tried this:
#/etc/dnsmasq.config
query-port=58

but when I do a nslookup it still reports port 53 so I guess either I'm not doing it right, or somehow the ISP is messing things up more than with just DNS hijacking (e.g. transparent proxy):
nslookup check.unblock-us.com 208.122.23.22
Server: 208.122.23.22
Address: 208.122.23.22#53

Name: check.unblock-us.com
Address: 184.106.248.229

The log (yes, it's in the syslog) spits this out when I try to check status of DNS on their website:
May 18 19:04:35 ClineNAS daemon.info dnsmasq[1147]: forwarded b._dns-sd._udp.CLINENET to 208.122.23.22
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: query[PTR] b._dns-sd._udp.0.2.168.192.in-addr.arpa from 192.168.2.133
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: forwarded b._dns-sd._udp.0.2.168.192.in-addr.arpa to 208.122.23.22
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: query[PTR] db._dns-sd._udp.0.2.168.192.in-addr.arpa from 192.168.2.133
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: forwarded db._dns-sd._udp.0.2.168.192.in-addr.arpa to 208.122.23.22
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: query[PTR] r._dns-sd._udp.0.2.168.192.in-addr.arpa from 192.168.2.133
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: forwarded r._dns-sd._udp.0.2.168.192.in-addr.arpa to 208.122.23.22
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: query[PTR] dr._dns-sd._udp.0.2.168.192.in-addr.arpa from 192.168.2.133
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: forwarded dr._dns-sd._udp.0.2.168.192.in-addr.arpa to 208.122.23.22
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: query[PTR] lb._dns-sd._udp.0.2.168.192.in-addr.arpa from 192.168.2.133
May 18 19:04:36 ClineNAS daemon.info dnsmasq[1147]: forwarded lb._dns-sd._udp.0.2.168.192.in-addr.arpa to 208.122.23.22

I greatly appreciate your help on this so far - way beyond what anyone could hope for - especially considering that high price you are charging for Alt-F.

Joao Cardoso

unread,
May 18, 2012, 10:37:27 AM5/18/12
to al...@googlegroups.com


On Friday, May 18, 2012 1:19:05 PM UTC+1, Bink wrote:
Ok great. I only started messing with the config files, because I knew that I might need to specify a port. Apparently this can be done:

-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the specific UDP port <query_port> instead of using random ports. NOTE that using this option will make dnsmasq less secure against DNS spoofing attacks but it may be faster and use less resources. Setting this option to zero makes dnsmasq use a single port allocated to it by the OS: this was the default behaviour in versions prior to 2.43.

This only changes the origin port number, not the destination port, which is still 53 by default; dns servers listen on port 53 and will reply back to the port that you specified with the '-Q' option. The default behaviour without the '-Q' option is to use random origin ports, which is considered safer.
You probably need to use the '--local' option, not sure.

However, you need to find first a real dns server that listens on a port different than 53, and that is not going to be easy. Only after finding and testing it you should continue your quest with dnsmasq.
Reply all
Reply to author
Forward
0 new messages