Cant use public external dns (seems isp blocks requests)

joenew · 09-21-2010, 03:49 AM

Hi all.
I'm searching for a work arownd that let me use external dns other than mi isp offers, for example google public dns or opendns ones.
My internet connection is a little unusual, I use a cellular phone as modem bluetooth connected to my PC.
My isp has two access point names (apn), one suitable for WAP connection browsing internet directly from cellular display, and an other one suitable for regular connection from PC.
I often use wap apn to connect from my PC, It works, but seems to be few differences and limitations:
- private ip, wap connections are organized as a lan
- seems there is a proxy that rewrites web pages (probably form better view on cellular displays)
- ping utility doesn't work for external ips out of this "wap LAN"
And so on... theese are the most important limitations I noticed.
But there is an other annoing one:
DNS request to external public dns services are disabled... look at the follow example (first try is via google dns, second on opendns, last using my isp dns):

Code:

# dig @8.8.8.8 www.google.com

; <<>> DiG 9.4.2-P2 <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached


# dig @208.67.222.222 www.google.com

; <<>> DiG 9.4.2-P2 <<>> @208.67.222.222 www.google.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached


# dig @213.230.155.94 www.google.com

; <<>> DiG 9.4.2-P2 <<>> @213.230.155.94 www.google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65076
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         17208   IN      CNAME   www.l.google.com.
www.l.google.com.       27      IN      A       209.85.135.147
www.l.google.com.       27      IN      A       209.85.135.99
www.l.google.com.       27      IN      A       209.85.135.103
www.l.google.com.       27      IN      A       209.85.135.104
www.l.google.com.       27      IN      A       209.85.135.105
www.l.google.com.       27      IN      A       209.85.135.106

;; AUTHORITY SECTION:
google.com.             12594   IN      NS      ns2.google.com.
google.com.             12594   IN      NS      ns4.google.com.
google.com.             12594   IN      NS      ns3.google.com.
google.com.             12594   IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         17032   IN      A       216.239.32.10
ns2.google.com.         20177   IN      A       216.239.34.10
ns3.google.com.         50283   IN      A       216.239.36.10
ns4.google.com.         12949   IN      A       216.239.38.10

;; Query time: 808 msec
;; SERVER: 213.230.155.94#53(213.230.155.94)
;; WHEN: Tue Sep 21 09:32:04 2010
;; MSG SIZE  rcvd: 284

As you can see it's possible for me to do a dns request to my isp dns server, but i can't query an external dns service.
What's exactly the matter in your opinion?

Seems that they block something related to ICMP, because also if I ping an adress like 209.85.135.147 I don't obtain any response...just time out.
It's strange... I've tried to contact any other private ips (10.x.x.x) of this "lan" and ping works....

Hope my bad english is clear enaugth to let you understand the problem.
I hope you have ideas about this limitations and eventually solutions to bypass it.

kbp · 09-21-2010, 09:36 PM

I doubt you'll be able to bypass it, if the ISP is blocking ICMP and dns from leaving that network then there's not a great deal you can do about it. Their dns is obviously working so is there a reason you don't want to use it ?

joenew · 09-22-2010, 03:47 AM

Well, sometimes its dns are down, so a backup ones would be a simple solution.
More ever I've set up a local dns cache with bind. So I ususally resolve address asking local dns server then it contacts remote root servers to obtain a not stored adrress... While seems work well when I use PC-access-point this doesn't work at all during a "wap" session. I think that also root servers request are on the same protocol/ports involved by regular dns requests... so they are filtered too.

Anyway, there is a solution (likely more than one too...) that I tried in the past. Creating a vpn with an external service let me route all my traffic through that tunnel and there are no more limitations. But this is an "hard" way useful to bypass all isp limits. Moreover an external vpn service or a configurable server is needed.

An idea more soft could be to route through vpn tunnel only dns requests and leave all other traffic on the "ppp0" interface. I don't know how to do, but I think it would be possible.

Time ago there was a good french free vpn service called ultravpn. But It seems down at the moment.
I like that service cause it was open and accessible directly with openvpn without strange close clients or so on.

An other solution could be "miredo" that use teredo servers and ipv6 to make my machine conectable from the rest of world.
I've intalled miredo, but seems that ipv6 is blacklisted or anyway disabled on my actual system (slax-6.1.2).

A third way is an alternative to usual dns service but I cant find a working server for that:
I've found two interesting projects called ssl-dns and https-dns, consider this link:
https://www.privacyfoundation.de/wiki/SSL-DNS

It would be very simple configuring stunnel and launch socat, then turn off eventual bind listening on port 53 of localhost. And set "nameserver 127.0.0.1" in resolv.conf. But a working remote server that offer this service is needed and the two reported in tha wiki seem not up.
I didn't well understand the second project: https://www.privacyfoundation.de/wiki/HTTPS-DNS cause it's written in German but seems more active.

As you can see there are many ways to potentially bypass isp limitations to use external dns... I'm now searchng for the best and simple.