bypassing ISP DNS

[Nathan111]

hi guys
i am using asus wrt-merlin firmware on my router
i just realised that even though I have set 8.8.8.8 as my DNS in the router and on the laptop, my ISP is not accepting these DNS for queries online. It is using its own DNS (I checked through multiple DNS leak test websites) and also this ISP is blocking websites like porn since its forcing its own DNS.

my question is, is it possible to force custom dns like 8.8.8.8 on my router to bypass the DNS server being used by ISP ? if yes, how ?

 

[yk101]

As far as I know, the only reliable way to do that is to use VPN. Your ISP would otherwise re-direct all port 53 queries to its own DNS.

 

[Nathan111]

As far as I know, the only reliable way to do that is to use VPN. Your ISP would otherwise re-direct all port 53 queries to its own DNS.

exactly. someone somewhere suggested that I could forward all dns queries from port 53 to port 54 and to another DNS server using this firmware. is that a possibility?

 

[ColinTaylor]

It would be best if you could just get your ISP to stop hijacking your DNS queries. Sometimes this is just an account option with your ISP that you can turn off on their website. Where I am the "safe browsing" option is enabled by default with a lot of ISPs but it's easy enough to change it.

 

[yk101]

exactly. someone somewhere suggested that I could forward all dns queries from port 53 to port 54 and to another DNS server using this firmware. is that a possibility?

You could, but that would assume that the other DNS is listening on port 54, and you ISP is not doing SPI on the traffic.

 

[Nathan111]

It would be best if you could just get your ISP stop hijacking your DNS queries. Sometimes this is just an account option with your ISP that you can turn off on their website. Where I am the "safe browsing" option is enabled by default with a lot of ISPs but it's easy enough to change it.

thats not a possibility. i am sure there is someway i can redirect all port 53 dns queries elsewhere through this merlin firmware settings. i'm just not too familiar with it all.

 

[Nathan111]

You could, but that would assume that the other DNS is listening on port 54, and you ISP is not doing SPI on the traffic.

where is this setting in merlin panel to redirect dns queries?

 

[yk101]

where is this setting in merlin panel to redirect dns queries?

There is no GUI setting for that - you would need to edit some config files. It is not worth the trouble! Just use VPN!

 

[Nathan111]

i already am using VPN but i want to fix this too. im pretty sure no VPN config files are required here.
if I can setup a DNS server that listens on custom port like 54, 55. Then forward all queries from router's 53 to that DNS on 55 - it could work. But where do I add these forwards for specific ports?

 

[ColinTaylor]

You can't change the port with the router because the port is dictated by the DNS server not the client. It's no good sending a DNS request to 8.8.8.8 on port 1234 when the DNS server at 8.8.8.8 is only listening on port 53.

Perhaps you could use DNSSEC DNSCrypt instead of DNS. I don't know much about it but I believe that uses different ports.

EDIT: Typo: meant DNSCrypt not DNSSEC

 

[Nathan111]

You can't change the port with the router because the port is dictated by the DNS server not the client. It's no good sending a DNS request to 8.8.8.8 on port 1234 when the DNS server at 8.8.8.8 is only listening on port 53.

Perhaps you could use DNSSEC instead of DNS. I don't know much about it but I believe that uses different ports.

i just mentioned above I could have a DNS server running (of my own) at a custom port and then use it.
can someone here just tell me how to redirect traffic from certain ports to different ones in the merlin GUI ? for example redirecting all traffic going to port 53 to a custom port 1234 of my choice and to my own DNS server (that is listening on 1234)

 

[ColinTaylor]

i just mentioned above I could have a DNS server running (of my own) at a custom port and then use it.

I thought you were talking about another server on your LAN, but if it's on the internet then it should work.

can someone here just tell me how to redirect traffic from certain ports to different ones in the merlin GUI ? for example redirecting all traffic going to port 53 to a custom port 1234 of my choice and to my own DNS server (that is listening on 1234)

You can't do that in the GUI. You'd have to write a user script that uses iptables to DNAT the DNS requests.

 

[Zastoff]

Maybe you could try Dnscrypt-proxy?

Redirect all DNS queries on your network to dnscrypt if user chooses to.
And maybe choose DOH(Dns over https) dns servers

 

[underdose]

With Unbound you can use Cloudflare's 1.1.1.1 (DNS over TLS) with port 853 however that doesn't let you visit sites blocked by your ISP, at least in Turkey where all ISP's are required to block certain websites including Wikipedia and imgur as well as almost all porn sites.

 

[Twiglets]

What you are missing is that even if you run your own DNS Server on another Port it WILL need to get to an external address that your ISP can block !!!
Also your own DNS Server will be getting its data from upstream DNS Servers that your ISP can see & block.

Regardless of what port you send your DNS queries to, they can be detected because DNS Traffic has an identifiable format.
Any ISP can redirect DNS traffic if it can detect it and consequently filter access as they see fit. [Some do as a default BUT allow you to opt out, others it is not negotiable ]

The only way to get past this is if you can make your DNS Traffic invisible to any form of packet inspection (SPI, as mentioned earlier) AND to get beyond the ISP's/Countrys Address blocks.
This means encrypting your DNS traffic and using a unrestricted VPN to traverse out of the ISP's/Countrys network completely.
Note VPN's can be blocked as well or if allowed the Address Blocks can still apply at the local POP (as a condition of allowing the VPN to have a POP in the country !!!)

You could also try DNS over HTTPS (DoH) or DNS Over TLS (DoTLS) both can be detected but decryption is very hard (at least). DoH 'hides' in all the other HTTPS traffic and blocking it could impact other HTTPS Traffic so is a bit harder to do if you want HTTPS to work for others.

Regardless of your efforts the problem is always 'Addresses can be blocked' by your ISP or even at a national level !!!

 

[Twiglets]

A simple test is to ask for the IP Address of a Site you cannot currently get to via DNS.
If you cannot get to the site via the IP Address then there are probably Address Blocks in place.
DNS will not work around this !!!

VPN's may be able to if you can get outside of the control of your ISP / Country.