Are there any ISPs that will quit hijacking my fucking DNS

>>62274414
No.

>>62274488
reeeeeeeeee

why

Just use DNScrypt

>tfw blocked from frequent sites

pls stop

>>62274414
all of them, just set your own dns you dingus

You're going to need four dnscrypt resolvers and an unbound forwarder.

Under the

server:

section in your unbound config, you'll need this

  do-not-query-localhost: no
  module-config: "iterator"

Make this your forward zone config

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@5301
  forward-addr: 127.0.0.1@5302
  forward-addr: 127.0.0.1@5303
  forward-addr: 127.0.0.1@5304

Then copy

/etc/dnscrypt-proxy.conf

to

/etc/dnscrypt-proxy-1.conf

through

-4.conf

. Change the listening ports on each of them to 5301 through 5304 and set each of their revolvers to something different.

Create

/etc/systemd/system/[email protected]

with this contents

[Unit]
Description=dnscrypt-proxy

[Service]
ExecStart=/usr/local/sbin/dnscrypt-proxy /etc/dnscrypt-proxy-%i.conf
Restart=always

[Install]
WantedBy=multi-user.target

Then

systemctl enable --now dnscrypt@1

through

dnscrypt@4

and start and enable unbound as well.

Put

nameserver 127.0.0.1

in

/etc/resolv.conf

and if you use network manager, put this in

/etc/NetworkManager/NetworkManager.conf

[main]
dns=none

to prevent it from overwriting your config.

Last step, egress filter UDP port 53. This will prevent unencrypted dns queries from escaping. Make your netfilter config look like this

# iptables -nL OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            127.0.0.1           
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53

If we didn't have the ACCEPT all packets to 127.0.0.1, we wouldn't even be able to query localhost. Then, if it's not to localhost, and it's on udp port 53, just drop it.

>>62275162
Doesn't matter, DNS requests are sent in the clear.

>>62275675

You can probably do it with these commands

# iptables -F OUTPUT
# iptables -I OUTPUT -d 127.0.0.1 -j ACCEPT
# iptables -A OUTPUT --proto udp --dport 53 -j DROP

Don't forget to setup iptables persistence, however that's done on your distro.

Oh and I just realized, in my first post, you might need to change

/usr/local/sbin/dnscrypt-proxy

to

/usr/bin/env dnscrypt-proxy

Best of luck anon.

>>62275678
>DNS requests are sent in the clear.

DNSCurve encrypts connections between origin nameservers, and a cache.
DNSCrypt encrypts connections between a client and a cache.

>>62275678
He can enforce dnssec if he doesn't care about them being read but wants the ISP to not fuck with them (e.g., because they redirect invalid URLs to their own "hey we didn't find that, maybe you were looking for something like this OH BTW HERE, ADS" page) Or he can use dnscrypt like the other anons are talking about, which is kind of a pain to set up but provides both integrity and confidentiality. Or he can just get a VPN provider. DNS requests will go through the tunnel. His ISP won't be able to read or tamper with them, and they'll hit either the VPN provider's DNS, or come out on their end and travel to whatever other DNS server he selects.

The one thing all of these have in common is that you need to stop using the ISP's default DNS servers. Some of them are real dickweeds about this and try to redirect everything on port 53 to themselves.

>>62274414
>his ancestors fell for the america meme