If a Site is not activating or the Site is offline, the likely cause is transparent proxying from the ISP. A transparent DNS proxy is the practice of intercepting DNS requests destined for a specific recursive DNS server (like DNSFilter) and sending the DNS requests to an entirely different DNS server.
Before testing for a suspected transparent DNS proxy as the reason for not experiencing content filtering, refer to our Caching article, which is the reason for most false alarms when content filtering does not appear to be working.
Proxy detection can be accomplished using several methods:
The Browser Test
After you are certain that your settings are correct in the DNSFilter Dashboard and your network is correctly pointing to the DNSFilter servers (126.96.36.199 and 188.8.131.52), visit DNS Leak Test or Whoismydns in your web browser. If the domain names correspond to your Internet Service Provider, your requests are being proxied by your ISP. If the requests correspond to some other address (like 184.108.40.206), then it is likely that you have a firewall/security appliance on your network that has a legacy firewall rule that you will need to change.
The MyIP Test
myip.dnsfilter.com is known only to DNSFilter’s servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if your DNS requests are coming to us or going somewhere else.
In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:
nslookup myip.dnsfilter.com. 220.127.116.11
If there is an address in the answer, the DNS request made it to DNSFilter and will print your DNS egress IP address. DNS is not being proxied.
If the response is No answer, DNS is being proxied on the network because only DNSFilter’s servers are aware of this domain name.
ISPs with Transparent DNS Proxy
Comcast/Xfinity clients that are using static IP addressing will need to contact their ISP before installation and configuration of the DNSFilter Roaming Client. This is due to EdgeProtection Security. This feature set will block/reject traffic outside DNS Servers. This feature can be disabled by Comcast/Xfinity Customer Support, and it is also advised that the Modem be placed into pass-through mode. This can be accomplished by disabling the firewall features, Local IP Network DHCP, and Wi-Fi services.
If you use T-Mobile's Business Internet Product, which is their primary-fixed location/ISP backup service, also comes with a transparent DNS proxy, which filters everything through OpenDNS. You will need to call T-Mobile and ask for the "Productivity Filter" to be removed from your account. This typically takes ~24 hours or less to apply to your account.
Other ISPs may have similar practices that can be resolved by contacting their support.
Bypass ISP DNS Proxying
If your ISP is transparently proxying DNS, and you would like to use DNSFilter on that network, you can utilize a local firewall to send DNSFilter traffic on port:5353, which will not be proxied by the ISP. In the case where 5353 is still proxied, we do have another port, 5354 (UDP only), which you can utilize as well.
Here’s an example of how to accomplish this using the most common Linux firewall, iptables. This same logic can be applied to any firewall make/model. This can be applied in
iptables.conf or from the shell.
:PREROUTING ACCEPT [2:143]
:INPUT ACCEPT [2:143]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:134]
-A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 18.104.22.168:5353
-A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 22.214.171.124:53
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 126.96.36.199:5353
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 188.8.131.52:5353
To forward port 53 to port 5353 or 5354 within pfSense, you will have to take three actions:
- Browse to Firewall > Aliases > IP and create a new alias that references the DNSFilter anycast addresses (184.108.40.206 / 220.127.116.11) and any addresses for NAT IPs if you plan to use them.
- Navigate to Firewall > NAT > Port Forward and create a new rule that redirects LAN interface traffic on port 53 to the DNSFilter alias on port 5353 or 5354.
- Edit firewall rules to deny traffic on port 53 and allow it on port 5353 or 5354.
Read the article on Transparent Proxying to learn more about it.