Forcing DNS Setting Possible ?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
My ATT Internet uses their own DNS no matter what I set in PFSENSE or Local.

I've googled the issue and others report the same problem... ATT is having DNS issues and randomly I can't load a website. Established connections, and IP based access continue to work fine.

Is there anyway around this to force my own DNS sertting?
 
  • Like
Reactions: altmind

Marsh

Moderator
May 12, 2013
2,642
1,496
113
Give it try
pfsense
  1. Services
  2. DNS Resolver
  3. General Settings

Enable DNS resolver

Enable DNS Query Forwarding
Enable Forwarding Mode
If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
DNS Query Forwarding
Enable Forwarding Mode

This was not checked.

Note: I also set them in Windows10 and that didn't change anything either.


General Setup:
Allow DNS server list to be overridden by DHCP/PPP on WAN

Not Checked

( IN General Setup I define Google DNS & CLoudflare as the ones to use, but they're not )
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
From your message it sounds like even if you set your windows boxens to A.N. Other DNS server, it'll still end up at your ISPs resolvers?

In which case that sounds a lot like DNS hijacking, a spot of searching around got me this page - does it sound familiar?

(UK user with their own DNS server here but this sounds like spectacularly scummy behaviour from your ISP)
 
  • Like
Reactions: Amrhn and T_Minus

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
You can get around pretty much any hijacking by using DNS over TLS :)
I'm a big fan of nextdns and they have a short guide for pfsense - NextDNS

Or there are other providers that offer DoTLS - Setting up DNS over TLS on pfSense

It's trivial to setup DoTLS on nextdns once you have an account there...
 
Last edited:
  • Like
Reactions: Amrhn and T_Minus

altmind

Active Member
Sep 23, 2018
285
101
43

apnar

Member
Mar 5, 2011
115
23
18
Cloudflare (and others) supports DNS over TLS on port 853 on 1.1.1.1:

If that's blocked you can move to DoH (DNS over HTTPS) but I'm not sure if pfSense supports it. Cloudflare and others run that on port 443 which is almost certainly not blocked.
 
  • Like
Reactions: Amrhn

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
From your message it sounds like even if you set your windows boxens to A.N. Other DNS server, it'll still end up at your ISPs resolvers?

In which case that sounds a lot like DNS hijacking, a spot of searching around got me this page - does it sound familiar?
(UK user with their own DNS server here but this sounds like spectacularly scummy behaviour from your ISP)
Correct, DNS Hijacking. I've seen it confirmed on ATT Support\Q&A site\forums, never with such negative tone of course ;)

You can get around pretty much any hijacking by using DNS over TLS :)
I'm a big fan of nextdns and they have a short guide for pfsense - NextDNS

Or there are other providers that offer DoTLS - Setting up DNS over TLS on pfSense

It's trivial to setup DoTLS on nextdns once you have an account there...
Perfect. This is exactly what I was looking for. I'll check into this :)

last time i checked ATT was hijacking all the outgoing traffic on port 53 to any host, i think Marsh advice will not work.
yes, dns over tls is the solution. you may also try to find a dns server that is working on a non-standard port.

if you have access to AT&T customer portal, DNS hijacking can be disabled How to disable the very little-known AT&T setting that can appear to hijack your home DNS lookups and redirect to 104.239.207.44
Thanks! I'll request to disable it and see if that works too! Their support has surprisingly been very good for consumer internet connection.
 
Last edited:

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
@zer0sum

" Use SSL/TLS for outgoing DNS Queries to Forwarding Servers”

This option is the only one I don't see on my PFSense, was it moved? Or did they eliminate the way to force SSL\TLS ?


Looks like my PFS is 2.3.x and says up to date, but 2.4.x is out now, when I Try to update pfsense I get a failure, lol... great
 
Last edited:

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
2.4.4 Worked

2.4.5 Kernel Panic :/ Going for fresh install.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
@zer0sum

" Use SSL/TLS for outgoing DNS Queries to Forwarding Servers”

This option is the only one I don't see on my PFSense, was it moved? Or did they eliminate the way to force SSL\TLS ?


Looks like my PFS is 2.3.x and says up to date, but 2.4.x is out now, when I Try to update pfsense I get a failure, lol... great
I'm not running pfsense as my firewall at the moment, but I believe you can do a more manual approach on pfsense to get it working

1. Go to Services → DNS Resolver and on the tab General Settings scroll down to the Custom Options box.
2. Enter the following lines:
Code:
server:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 8.8.8.8
forward-addr: 1.1.1.1
forward-addr: 8.8.4.4
forward-addr: 1.0.0.1
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
@zer0sum I Rebuilt my pfsense and now I have the " Use SSL/TLS for outgoing DNS Queries to Forwarding Servers "

Aside from not having issues with ATT to tell if it's working.. any other way to test it is in fact going over TLS?

Thnx
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113

Showing it's not working even though PFSENSE is setup to use tLS :/ and not using pfsense for DNS at all.

It's as-if PFSENSE isn't being used for DNS, if I force 1.1.1.1 in windows it shows that, yes, I am using that, but then still

Using DNS over TLS (DoT)No
 
Last edited:

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
Ok, sadly have to bump this back up.

It appears ATT has added some new level of security.

Visiting 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver I'm still using TLS

However, I cannot access any streaming service (beside YouTube) when using custom\encrypted DNS with pFsense. If I use ATT all of these work 100%.

If I use ATT Router WAP on my phone to access NetFlix then I try on my PC (using pfsense w\TLS DNS) NetFlix also works, but works for around 2 minutes, then stops allowing me access.

It appears to me that they realized they can't control encrypted requests but now if an IP range of incoming data (to their users) doesn't match a DNS request it's denied.

At least this is how my very limited network knowledge thinks it works ;)

Any thoughts on this ? It just started August 1st.
 

Fallen Kell

Member
Mar 10, 2020
57
23
8
How is that even possible to not cause problems from a technical point of view? There are PLENTY of services/applications that simply communicate based on IP address and not perform a DNS query. I would start flooding them with hotlines about applications no longer working when trying to comunicate over the net.
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Sounds to me like they want to ensure that streaming traffic is redirected to the akamai/netflix/etc CDN boxes they certainly host in their network.
I assume what happens when you use an external DNS service, is that netflix domain names are resolved to the IPs for network providers that do not have CDN boxes in their network (I guarantee you that there are CDN boxes in AT&T's network), meaning the traffic will likely have to cross a peering connection (costs money).

It is cheaper to have traffic end up on local (to their network) boxes, thus that is their incentive.

Anyway there's a bunch of other possible explanations, here's a few:
  1. Netflix domain names are being resolved to IPv6 IP's and you do not have IPv6 (no connection)
  2. The peering connection (see the CDN box reason) is down
  3. The domain names are not being resolved for some reason
To really get to the bottom of it, you could record the traffic through the pfSense GUI and analyze the PCAPs with Wireshark. Looks for DNS resolutions (and their answers if any), and connection (and connection attempts) to the IP addresses the domain names resolve to.
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,625
2,043
113
Update: My zoom meetings didn't work today either, turns out they too are on AWS :(