A transparent DNS proxy is the practice of intercepting DNS requests destined for a specific recursive DNS server (like DNSFilter) and sending the DNS requests to a completely different DNS server.
Who is typically proxied?
Most "hardwired" ISPs (cable, DSL, fiber) in North America and Europe are not using transparent DNS proxies.
Satellite ISPs and Telecom providers (3g/4g/LTE) are commonly using transparent DNS proxies for performance reasons.
Proxying can happen via:
- Firewall (Direct NAT)
- Network Security Appliance (Security Feature)
- Software (Security Feature)
- ISP DNS Caching
Transparent proxying is typically employed for one of these reasons:
- Security (Local network) - To prevent the circumvention of a content filtering service (such as DNSFilter).
- Government Regulation - ISPs in Africa, Asia, and The Middle East typically have enforcement of government-mandated content filtering and/or traffic logging.
- Satellite ISPs / Mobile ISPs - DNS requests are cached to increase performance
Comcast/Xfinity clients that are using static IP addressing will need to contact their ISP prior to installation and configuration of the DNSFilter Roaming Client. This is due to EdgeProtection Security. This feature set will block/reject traffic outside DNS Servers. This feature can be disabled by Comcast/Xfinity Customer Support, and it is also advised that the Modem be placed into passthrough mode. This can be accomplished by disabling the firewall features, Local IP Network DHCP, and Wi-Fi services.
If you use T-Mobile's Business Internet Product, which is their primary fixed location/ISP backup service, also comes with a transparent DNS proxy, which filters everything through OpenDNS. You will need to call T-Mobile and ask for the "Productivity Filter" to be removed from your account. This typically takes ~24 hours or less to apply to your account.
Before testing for a suspected transparent DNS proxy as the reason for not experiencing content filtering, refer to our Caching article, which is the reason for most false alarms when content filtering does not appear to be working.
Proxy detection can be accomplished using several methods:
The Browser Test
After you are sure that your settings are correct in the DNSFilter Dashboard and your network is correctly pointing to our <>, visit DNS Leak Test or Whoismydns in your web browser. If the domain names correspond to your Internet Service Provider, your requests are being proxied by your ISP. If the requests correspond to some other address (like 220.127.116.11), then it is likely that you have a firewall/security appliance on your network that has a legacy firewall rule that you will need to change.
The MyIP Test
myip.dnsfilter.com is known only to DNSFilter’s servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if your DNS requests are coming to us or going somewhere else.
In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:
nslookup myip.dnsfilter.com. 18.104.22.168
If there is an address in the answer, the DNS request made it to DNSFilter and will print your DNS egress IP address. DNS is not being proxied.
If the response is No answer, DNS is being proxied on the network because only DNSFilter’s servers are aware of this domain name.
Bypass ISP DNS Proxying
If your ISP is transparently proxying DNS, and you would like to use DNSFilter on that network, you can utilize a local firewall to send DNSFilter traffic on port:5353, which will not be proxied by the ISP. In the case where 5353 is still proxied, we do have another port, 5354 (udp only), which you can utilize as well.
Here’s an example of how to accomplish this using the most common Linux firewall, iptables. This same logic can be applied to any firewall make/model. This can be applied in
iptables.conf or from the shell.
*nat :PREROUTING ACCEPT [2:143] :INPUT ACCEPT [2:143] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [2:134] -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 22.214.171.124:5353 -A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 126.96.36.199:53
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 188.8.131.52:5353 iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 184.108.40.206:5353
In order to forward port 53 to port 5353 or 5354 within pfSense, you will have to take three actions:
- Browse to Firewall > Aliases > IP and create a new alias that references the DNSFilter anycast addresses (220.127.116.11 / 18.104.22.168) and any addresses for NAT IPs if you plan to use them.
- Navigate to Firewall > NAT > Port Forward and create a new rule that redirects LAN interface traffic on port 53 to the DNSFilter alias on port 5353 or 5354.
- Edit firewall rules to deny traffic on port 53 and allow it on port 5353 or 5354.
Article is closed for comments.