Making DNS work when your ISP blocks port 53
By Kristopher A. Nelson
in
October 2015
400 words / 2 min.
Tweet
Share
As I was curious about the methods and approaches of so-called “Smart DNS” services to get around geo-blocking, I wanted to experiment with a variety of them to see how they functioned. Frustratingly, I couldn’t get any of them to work. I could change my DNS servers (on my router, on my Windows machine, on […]
Please note that this post is from 2015. Evaluate with care and in light of later events.
As I was curious about the methods and approaches of so-called “Smart DNS” services to get around geo-blocking, I wanted to experiment with a variety of them to see how they functioned.
Frustratingly, I couldn’t get any of them to work. I could change my DNS servers (on my router, on my Windows machine, on my Mac, and on my Linux box) to point to the correct servers but… nothing. No DNS. Thinking perhaps my ISP (which happens to be my university, since I’m on their network) was restricting DNS so that I had to use the official ones, I tried Google’s DNS and OpenDNS, both of which worked just peachy.
I decided my provider must be allowing some but not all external DNS servers to be used, probably for some security/malware threat evasion (maintaining undergraduate access to a university network must be a nightmare).
Once I realized at least some DNS providers allowed non-standard port access (though none seemed to support DNSCrypt, which at first glance looked like a decent possibility)–and having confirmed it worked via Linux’s “dig” command — I set out making my network do this.
But how? On most systems, you can’t just say use 8.8.8.8:5353 and have the new port start working (maybe it works on some; I didn’t check deeply). And the old router I was using for this didn’t support this either (and I didn’t want to get another router and go with DD-WRT, which I do use on my “real” network).
So instead I put DNSMasq on my Linux machine inside the network, made sure the firewall allowed incoming queries to it on port 53, and directed my router to query my internal DNS server.
DNSMasq supports alternative ports for outgoing connections by just putting a colon and the port (8.8.4.4:5353, for example). And voilà — it works.
Now I can play around with these “Smart DNS” systems (which seem to be a kind of selective proxy, which is cool but not super-technically exciting in itself, and is only sort of DNSy anyway).
Note: I ended this experiment after a week or so. As a technical demonstration, it worked; as a practical matter, I don’t need to do this nor do I actually need a “Smart DNS” service.