A transparent DNS proxy is the practice of intercepting DNS requests destined for a specific recursive DNS server (like DNSFilter), and sending the DNS requests to a completely different DNS server.
Who is typically proxied?
Most "hardwired" ISPs (cable, DSL, fiber) in North America and Europe are not using transparent DNS proxies.
Satellite ISPs and Telecom providers (3g/4g/LTE) are commonly using transparent DNS proxies for performance reasons.
This can be accomplished via:
- Firewall (Direct NAT)
- Network Security Appliance (Security Feature)
- Software (Security Feature)
- ISP DNS Caching
Transparent proxying is typically employed for one of the following reasons:
- Security (Local network) - To prevent the circumvention of a content filtering service (such as DNSFilter).
- Government Regulation - ISPs in Africa, Asia, and The Middle East typically have enforcement of government-mandated content filtering and/or traffic logging.
- Satellite ISPs / Mobile ISPs - DNS requests are cached to increase performance
Troubleshooting the lack of filtering?
Before testing for a suspected transparent DNS proxy as the reason for not experiencing content filtering, refer to our Caching article, which is the reason for most false alarms when content filtering does not appear to be working.
Proxy detection can be accomplished via several methods:
After you are sure that your settings are correct in the DNSFilter Dashboard and your network is correctly pointing to our Anycast IPs - Anycast IPs - Anycast is a technology DNSFilter uses to enable DNS requests from customers to hit the nearest servers to them. This allows for a fast response time. Our anycast addresses are 126.96.36.199 and 188.8.131.52 , visit DNS Leak Test or Whoismydns in your web browser. If the domain names correspond to your Internet Service Provider, your requests are being proxied by your ISP. If the requests correspond to some other address (like 184.108.40.206) then is is likely that you have a firewall/security appliance on your network that has a legacy firewall rule that you will need to change.
myip.dnsfilter.com is known only to DNSFilter's servers. If a non-DNSFilter service performs this DNS request, it will result in an NXDOMAIN (non-existent domain). This can be used to determine if your DNS requests are coming to us or going somewhere else.
In Command Prompt (Windows) or Terminal (MacOS/Linux), run the following command:
nslookup myip.dnsfilter.com. 220.127.116.11
If there is an address in the answer, the DNS request made it to DNSFilter, and will print your DNS egress IP address. DNS is not being proxied.
DNS request received by DNSFilter
If the response is No answer, DNS is being proxied on the network, because only DNSFilter's servers are aware of this domain name.
DNS request proxied away from DNSFilter
If your ISP is transparently proxying DNS, and you would like to use DNSFilter on that network, you can utilize a local firewall to send DNSFilter traffic on port :5353, which will not be proxied by the ISP.
Here's an example of how to accomplish this using the most common Linux firewall, iptables. This same logic can be applied to any firewall make/model. This can be applied in
iptables.conf or from the shell.
*nat :PREROUTING ACCEPT [2:143] :INPUT ACCEPT [2:143] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [2:134] -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 18.104.22.168:5353 -A OUTPUT -p tcp -m tcp --dport 53 -j DNAT --to-destination 22.214.171.124:5353
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 126.96.36.199:5353 iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 188.8.131.52:5353
In order to forward port 53 to port 5353 within pfSense, you will have to take three actions:
- Browse to Firewall > Aliases > IP and create a new alias which references the DNSFilter anycast addresses (184.108.40.206 / 220.127.116.11) and any addresses for NAT IPs if you plan to use them.
Creating a new Aliases IP
- Navigate to Firewall > NAT > Port Forward and create a new rule that redirects LAN interface traffic on port 53 to the DNSFilter alias on port 5353.
Creating a Port Forward rule
- Edit firewall rules to deny traffic on port 53 and allow on port 5353.
Creating a LAN Firewall rule