Transparent DNS Proxies
What is it?
A transparent DNS proxy is when a local firewall, local security appliance, or ISP intercepts a computer's recursive DNS request and reroutes it to a different DNS server. Even if the DNS requests are sent to a specific DNS server, it will appear to be communicating with those DNS servers; in reality, the firewall or security appliance is rewriting the requests to go to a different DNS server.
Example: ISP-level DNS proxying
Example: Local DNS proxying
This is commonly employed for one of the following reasons:
- Security (Local network) - Prevent the circumvention of a content filtering service (such as DNSFilter).
- Government-regulated ISPs in Africa, Asia, and The Middle East - Prevention of government-mandated content filtering or traffic logging.
- Satellite ISPs - Cache DNS in order to increase performance.
- Mobile Networks - Cache DNS in order to increase performance.
Am I Behind a Transparent DNS Proxy?
Most "hardwired" ISPs (cable, DSL, fiber) in North America and Europe are not using transparent DNS proxies.
Satellite ISPs and Telecom providers (3g/4g/LTE) are almost always using transparent DNS proxies; skip to Bypassing ISP Transparent DNS Proxies for more information.
Before testing for a transparent DNS proxy, make sure you've already read our Policies and Caching article, which is the reason for most false alarms when content filtering does not appear to be working.
Windows / Linux / MacOS
In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:
nslookup myip.dnsfilter.com. 220.127.116.11
If there is an address in the answer, the DNS request made it to DNSFilter, and will print your DNS egress IP address. DNS is not being proxied.
If the response is No answer, DNS is being proxied on the network, because only DNSFilter's servers are aware of this domain name.
If your ISP is transparently proxying DNS, and you would like to use DNSFilter on that network, you can utilize a local firewall to send DNSFilter traffic on port :5353.
Here's an example of how to accomplish this using the most common Linux firewall, iptables. This same logic can be applied to any firewall make/model.
In a configuration file:
*nat :PREROUTING ACCEPT [2:143]<br>:INPUT ACCEPT [2:143] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [2:134] -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 18.104.22.168:5353 -A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 22.214.171.124:5353
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 126.96.36.199:5353 iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 188.8.131.52:5353
The instructions for implementing this will vary based on your firewall. DNSFilter cannot offer to assist in implementing this rule within your firewall, and we recommend consulting your firewall manual, or the manufacturer's tech support services.
Questions? Comments? Inaccurate material? Contact support.
Coming soon: a debugging URL you can visit to learn whether or not you're using DNSFilter's DNS server IPs.