Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am a long-time Linux lover and user. I have experience creating and managing Linux servers, but now I need some help doing something absolutely evil. Don't judge me yet, just read on.
My ISP is EVIL. Their DNS server will "resolve" nonexistant domains to some stupid search page of theirs, naturally full of paid ads. I feel cheated, I pay for a premium internet service, not to be a subject to their marketing compaigns.
So, I did what everyone else would do: set up a DNS server of my own. Now the next hurdle. My ISP also does Deep-Packet Inspection on DNS requests not going through their DNS servers and changes failed DNS queries to successful queries ... to their lovely search page full of paid ads. Now I have a local DNS server constantly being poisoned by my evil ISP. No luck there.
I currently use DNSMasq, it's great, but I want to use BIND. DNSMasq has this nice option, bogus-nxdomain, which allows me to get rid of all this search page crap and restore Internet to what it is meant to be: free and neutral. I want to do the same with BIND9, and I can't find a way.
Have you had this problem? How did you solve it?
As one option to solve the problem I am considering doing the very thing I am fighting: Fight fire with fire: if Deep-Packet Inspection can insert NX records inside a failed DNS query, making it look like the nonexistant domain genuinely resolves to that page (thus making it successful), maybe I can do the same with successful DNS queries to force them to fail if they come back pointing to that nasty search page.
Either way: configuring BIND to reject attempts get its cache poisoned, or configuring IPTables to rewrite DNS queries, is beyond my immediate Linux expertiese.
How is either (or both) of these done? How would you go about doing it?
Can I humbly ask for help from someone who has had these problems before?
If you don't mind the performance hit, how about proxying DNS instead?
That's what I have right now. I use DNSMasq and it's bogus-nxdomain feature gets rid of all the nastiness for me. The problem is that it still lands on my ISP's corrupted DNS server. It works and it works well, but not quite as fast as I would like.
What I really want is performance in terms of less latency, and that means BIND running locally, bypassing as much of my ISPs poisoned infrastructure as possible. I haven't used BIND for a while, but I remember it being a bit snappier than what I see from DNSMasq right now. That's one of the reasons I want it. The other has to do with an experiment I want to do with it this weekend.
The question of the day is how to get BIND to do what DNSMasq does right now.
As far as I understand it your ISP (one of the 72, according to Kaminsky) intercepts upstream NXDOMAIN to return an A record redirecting to an ad server. DNSMasq "just" filters those answers. But you're still using your ISP's DNS servers. If it's true that your ISP does deep packet inspection then apart from opt-out choices or voting with your wallet using other DNS servers obviously won't help unless you can "shield" requests. No, I'm talking about proxying requests to other DNS servers using either an SSH tunnel or TOR (or maybe even DeleGate?). None will show performance gain in terms of speed but in terms of integrity of answers (OK, unless the far side NS is wonky as well). Apart from the fact it's being bad behaviour to change results regardless, how often do you actually see problems with nonexistant domains or subdomains? Just curious...
Quote:
Originally Posted by y371
It works and it works well, but not quite as fast as I would like. What I really want is performance in terms of less latency, and that means BIND running locally
I don't know if in your case ISC BIND == less latency. You'd have to benchmark resolving uncached and cached lookups for that I guess. If you only need caching there's probably more lightweight SW around and with more features as well like persistent caching.
Quote:
Originally Posted by y371
bypassing as much of my ISPs poisoned infrastructure as possible.
Just to make sure: as long as you forward queries to your ISP's DNS servers bypassing just isn't happening.
Quote:
Originally Posted by y371
The question of the day is how to get BIND to do what DNSMasq does right now.
With ISC BIND you can bogus/blackhole to excommunicate whole NSes but I haven't seen a more fine-grained option equivalent of DNSMasq's "bogus-nxdomain".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.