Hi all,

I am a long-time Linux lover and user. I have experience creating and managing Linux servers, but now I need some help doing something absolutely evil. Don't judge me yet, just read on.

My ISP is EVIL. Their DNS server will "resolve" nonexistant domains to some stupid search page of theirs, naturally full of paid ads. I feel cheated, I pay for a premium internet service, not to be a subject to their marketing compaigns.

So, I did what everyone else would do: set up a DNS server of my own. Now the next hurdle. My ISP also does Deep-Packet Inspection on DNS requests not going through their DNS servers and changes failed DNS queries to successful queries ... to their lovely search page full of paid ads. Now I have a local DNS server constantly being poisoned by my evil ISP. No luck there.

I currently use DNSMasq, it's great, but I want to use BIND. DNSMasq has this nice option, bogus-nxdomain, which allows me to get rid of all this search page crap and restore Internet to what it is meant to be: free and neutral. I want to do the same with BIND9, and I can't find a way.

Have you had this problem? How did you solve it?

As one option to solve the problem I am considering doing the very thing I am fighting: Fight fire with fire: if Deep-Packet Inspection can insert NX records inside a failed DNS query, making it look like the nonexistant domain genuinely resolves to that page (thus making it successful), maybe I can do the same with successful DNS queries to force them to fail if they come back pointing to that nasty search page.

Either way: configuring BIND to reject attempts get its cache poisoned, or configuring IPTables to rewrite DNS queries, is beyond my immediate Linux expertiese.

How is either (or both) of these done? How would you go about doing it?

Can I humbly ask for help from someone who has had these problems before?

Thanks!

If you don't mind the performance hit, how about proxying DNS instead?

That's what I have right now. I use DNSMasq and it's bogus-nxdomain feature gets rid of all the nastiness for me. The problem is that it still lands on my ISP's corrupted DNS server. It works and it works well, but not quite as fast as I would like.

What I really want is performance in terms of less latency, and that means BIND running locally, bypassing as much of my ISPs poisoned infrastructure as possible. I haven't used BIND for a while, but I remember it being a bit snappier than what I see from DNSMasq right now. That's one of the reasons I want it. The other has to do with an experiment I want to do with it this weekend.

The question of the day is how to get BIND to do what DNSMasq does right now.

As far as I understand it your ISP (one of the 72, according to Kaminsky) intercepts upstream NXDOMAIN to return an A record redirecting to an ad server. DNSMasq "just" filters those answers. But you're still using your ISP's DNS servers. If it's true that your ISP does deep packet inspection then apart from opt-out choices or voting with your wallet using other DNS servers obviously won't help unless you can "shield" requests. No, I'm talking about proxying requests to other DNS servers using either an SSH tunnel or TOR (or maybe even DeleGate?). None will show performance gain in terms of speed but in terms of integrity of answers (OK, unless the far side NS is wonky as well). Apart from the fact it's being bad behaviour to change results regardless, how often do you actually see problems with nonexistant domains or subdomains? Just curious...


I don't know if in your case ISC BIND == less latency. You'd have to benchmark resolving uncached and cached lookups for that I guess. If you only need caching there's probably more lightweight SW around and with more features as well like persistent caching.


Just to make sure: as long as you forward queries to your ISP's DNS servers bypassing just isn't happening.


With ISC BIND you can bogus/blackhole to excommunicate whole NSes but I haven't seen a more fine-grained option equivalent of DNSMasq's "bogus-nxdomain".