Are there any ISPs that will quit hijacking my fucking DNS
>>62274414
No.
>>62274488
reeeeeeeeee
why
Just use DNScrypt
>tfw blocked from frequent sites
pls stop
>>62274414
all of them, just set your own dns you dingus
You're going to need four dnscrypt resolvers and an unbound forwarder.
Under theserver:section in your unbound config, you'll need thisdo-not-query-localhost: no
module-config: "iterator"
Make this your forward zone configforward-zone:
name: "."
forward-addr: 127.0.0.1@5301
forward-addr: 127.0.0.1@5302
forward-addr: 127.0.0.1@5303
forward-addr: 127.0.0.1@5304
Then copy/etc/dnscrypt-proxy.confto/etc/dnscrypt-proxy-1.confthrough-4.conf. Change the listening ports on each of them to 5301 through 5304 and set each of their revolvers to something different.
Create/etc/systemd/system/[email protected]with this contents[Unit]
Description=dnscrypt-proxy
[Service]
ExecStart=/usr/local/sbin/dnscrypt-proxy /etc/dnscrypt-proxy-%i.conf
Restart=always
[Install]
WantedBy=multi-user.target
Thensystemctl enable --now dnscrypt@1throughdnscrypt@4and start and enable unbound as well.
Putnameserver 127.0.0.1in/etc/resolv.confand if you use network manager, put this in/etc/NetworkManager/NetworkManager.conf[main]
dns=none
to prevent it from overwriting your config.
Last step, egress filter UDP port 53. This will prevent unencrypted dns queries from escaping. Make your netfilter config look like this# iptables -nL OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 127.0.0.1
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
If we didn't have the ACCEPT all packets to 127.0.0.1, we wouldn't even be able to query localhost. Then, if it's not to localhost, and it's on udp port 53, just drop it.
>>62275162
Doesn't matter, DNS requests are sent in the clear.
>>62275675
You can probably do it with these commands# iptables -F OUTPUT
# iptables -I OUTPUT -d 127.0.0.1 -j ACCEPT
# iptables -A OUTPUT --proto udp --dport 53 -j DROP
Don't forget to setup iptables persistence, however that's done on your distro.
Oh and I just realized, in my first post, you might need to change/usr/local/sbin/dnscrypt-proxyto/usr/bin/env dnscrypt-proxy
Best of luck anon.
>>62275678
>DNS requests are sent in the clear.
DNSCurve encrypts connections between origin nameservers, and a cache.
DNSCrypt encrypts connections between a client and a cache.
>>62275678
He can enforce dnssec if he doesn't care about them being read but wants the ISP to not fuck with them (e.g., because they redirect invalid URLs to their own "hey we didn't find that, maybe you were looking for something like this OH BTW HERE, ADS" page) Or he can use dnscrypt like the other anons are talking about, which is kind of a pain to set up but provides both integrity and confidentiality. Or he can just get a VPN provider. DNS requests will go through the tunnel. His ISP won't be able to read or tamper with them, and they'll hit either the VPN provider's DNS, or come out on their end and travel to whatever other DNS server he selects.
The one thing all of these have in common is that you need to stop using the ISP's default DNS servers. Some of them are real dickweeds about this and try to redirect everything on port 53 to themselves.
>>62274414
>his ancestors fell for the america meme