Transparent Proxying

Article author
Josh Lamb
  • Updated

A transparent DNS proxy is the practice of intercepting DNS requests destined for a specific recursive DNS server (like DNSFilter), and sending the DNS requests to a completely different DNS server.

transparentproxy.png

Who is typically proxied?

Most "hardwired" ISPs (cable, DSL, fiber) in North America and Europe are not using transparent DNS proxies.

Satellite ISPs and Telecom providers (3g/4g/LTE) are commonly using transparent DNS proxies for performance reasons.

Proxying can happen via:

  • Firewall (Direct NAT)
  • Network Security Appliance (Security Feature)
  • Software (Security Feature)
  • ISP DNS Caching

Transparent proxying is typically employed for one of these reasons:

  • Security (Local network) - To prevent the circumvention of a content filtering service (such as DNSFilter).
  • Government Regulation - ISPs in Africa, Asia, and The Middle East typically have enforcement of government-mandated content filtering and/or traffic logging.
  • Satellite ISPs / Mobile ISPs - DNS requests are cached to increase performance

Proxy Detection

No filtering?

Before testing for a suspected transparent DNS proxy as the reason for not experiencing content filtering, refer to our Caching article, which is the reason for most false alarms when content filtering does not appear to be working.

Proxy detection can be accomplished using several methods:

The Browser Test

After you are sure that your settings are correct in the DNSFilter Dashboard and your network is correctly pointing to our <>, visit DNS Leak Test or Whoismydns in your web browser. If the domain names correspond to your Internet Service Provider, your requests are being proxied by your ISP. If the requests correspond to some other address (like 8.8.8.8) then is is likely that you have a firewall/security appliance on your network that has a legacy firewall rule that you will need to change.

The MyIP Test

The domain myip.dnsfilter.com is known only to DNSFilter’s servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if your DNS requests are coming to us or going somewhere else.

In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:

nslookup myip.dnsfilter.com. 103.247.36.36

If there is an address in the answer, the DNS request made it to DNSFilter, and will print your DNS egress IP address. DNS is not being proxied.

e0a1119-DNS_Proxy_test_1.png__425_119__2021-05-14_17-15-02.png

If the response is No answer, DNS is being proxied on the network, because only DNSFilter’s servers are aware of this domain name.

c8d4091-DNS_Proxy_test_2.png__400_100__2021-05-14_17-15-33.png

Bypass ISP DNS Proxying

If your ISP is transparently proxying DNS, and you would like to use DNSFilter on that network, you can utilize a local firewall to send DNSFilter traffic on port :5353, which will not be proxied by the ISP.

iptables

Here’s an example of how to accomplish this using the most common Linux firewall, iptables. This same logic can be applied to any firewall make/model. This can be applied in iptables.conf or from the shell.

iptables.conf

*nat
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [2:143]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:134]
-A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 103.247.36.36:5353
-A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 103.247.37.37:53

Shell commands

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 103.247.36.36:5353
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 103.247.37.37:5353

pfSense

In order to forward port 53 to port 5353 within pfSense, you will have to take three actions:

  1. Browse to Firewall > Aliases > IP and create a new alias which references the DNSFilter anycast addresses (103.247.36.36 / 103.247.37.37) and any addresses for NAT IPs if you plan to use them.e728db5-Screenshot_2018-08-15_firewall_uoa_internal_-_Firewall_Aliases_IP.png__1170_351__2021-05-14_17-16-25.png
  2. Navigate to Firewall > NAT > Port Forward and create a new rule that redirects LAN interface traffic on port 53 to the DNSFilter alias on port 5353.922314c-Screenshot_2018-08-15_firewall_uoa_internal_-_Firewall_NAT_Port_Forward.png__1157_242__2021-05-14_17-16-54.png
  3. Edit firewall rules to deny traffic on port 53 and allow on port 5353.438ab74-Screenshot_2018-08-15_firewall_uoa_internal_-_Firewall_Rules_LAN.png__1165_472__2021-05-14_17-17-23.png

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.