Beating the crap out of your ISP’s DNS filtering & redirection

So recently, my home ISP decided to jump the shark and join the line of  Indonesian ISP enforcing the use of their DNS server to their customer, by way of redirecting queries made to 3rd parties DNS such as google and OpenDNS, to their own DNS servers, which sucks on so many level. For example this is what i get when I tried to perform a query to Google’s DNS server from my Y510p:

mach5@M5INX:~$ dig @8.8.8.8 vimeo.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @8.8.8.8 vimeo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53913
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vimeo.com.            IN    A

;; ANSWER SECTION:
vimeo.com.        3600    IN    A    202.73.99.3

;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Nov 09 16:56:13 WIB 2014
;; MSG SIZE  rcvd: 54

Obviously, vimeo’s IP address is not 202.73.99.3, as you can see below:

mach5@M5INX:~$ whois 202.73.99.3
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '202.73.96.0 - 202.73.127.255'

inetnum:        202.73.96.0 - 202.73.127.255
netname:        BM-ID
descr:          PT. Broadband Multimedia, Tbk
descr:          Internet Service Provider
descr:          Our Business is Broadband and Multimedia Services
descr:          Citra Graha Building 4th Floor
descr:          Jl. Gatot Subroto Kav 35-36
descr:          Jakarta - Indonesia
country:        ID
...

My query got filtered and redirected to the ISP’s info page.

It’s not that I’m disagreeing (or agreeing) about censorship, the problem is, stuff like this is oftentimes executed poorly, resulting in performance degradation due to the ISP using underpowered or misconfigured infrastructure, and lots of false positives.

One way to get around DNS redirection is to use OpenDNS’s DNSCrypt. Much like SSL on HTTP traffic, DNSCrypt encrypts and forwards your DNS queries to the DNS server. By default DNSCrypt uses OpenDNS server, but there are others to choose from, if you so desire.

There’s a PPA for Ubuntu if you use one, but it currently has no package for 14.04 and 14.10.  If you have 13.10 or older, do:

sudo add-apt-repository ppa:shnatsel/dnscrypt sudo apt-get update

To install do:

sudo apt-get install dnscrypt-proxy

If you use either 14.04 or 14.10, download the necessary packages here (64bit|32bit) and here (64bit|32bit). Double click to install those packages, or do:

sudo dpkg -i libsodium4_0.4.5-0~trusty5_amd64.deb
sudo dpkg -i dnscrypt-proxy_1.4.0-0~oldconf2+saucy1_amd64.deb

If it’s not automatically started, start dnscrypt-proxy:

sudo service dnscrypt-proxy start

On default, dnscrypt-proxy will use 127.0.0.2 and port 53. See if it’s working:

mach5@M5INX:~$ dig @127.0.0.2 vimeo.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @127.0.0.2 vimeo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64497
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vimeo.com. IN A

;; ANSWER SECTION:
vimeo.com. 16 IN A 74.113.233.128

;; Query time: 45 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)
;; WHEN: Sun Nov 09 16:10:41 WIB 2014
;; MSG SIZE rcvd: 54

DNSCrypt is now ready to be used. All we need to do is to point your system to use 127.0.02 to resolve DNS. There are several ways to do this. If you use DNSMasq, you can point it to resolve to 127.0.02 instead of whatever your dhcp server ask it to point to, or my preference, is to do this from the properties of my home wifi connection. This way the setting is only applicable when I’m at home, using my home ISP. Go to the dash menu and find “Network Connections”. Select your home wifi connection from the list, and then press edit. Set Method to “Automatic (DHCP) addresses only, and fill out the DNS servers with 127.0.02. Save, and reconnect to your AP to get the new setting.

Well, it’s fine when I have to worry about my notebook. Aside from the Y510p I’m writing on, the AP is also connected to my Galaxy S4, Note 8.0, my wife’s Xperia SP and iPad, and my mom’s Iconia. Several days ago my wife complained that she can’t play a video on a site that happen to host their videos on vimeo, one of the  site that happened to be err.. “filtered out”. The android devices can use orbot and I can install OnionBrowser on the ipad, but it’s just too much hassle to setup each devices one by one. Since I happened to have a Kohjinsha SH6 lying around and decided to use it as a DNS resolver for my home internet connection. It uses a low powered Celeron processor, and quite small, so it can be stowed away somewhere.

I use Xubuntu instead of the normal ubuntu on it and installed dnscrypt-proxy, much the same way  that I did on my Y510p. In addition to that, I also installed BIND to act as local DNS server. You can use other DNS server such as unbound if you want to. To install bind, do:

sudo apt-get install bind9

before starting bind, we need to perform several modifications on bind settings. to do that, do:

sudo nano /etc/bind/named.conf.options

For reference, this is how my named.conf,options look like:

acl goodclients {
        192.168.77.0/24;
        localhost;

};

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.
        allow-query { goodclients; };
        forwarders {
                127.0.0.2;
        };

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-enable yes;
        dnssec-validation yes;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

The first one we need to notice is the line “acl”. This is where we define which IP addresses or subnets are permitted to submit  dns queries to our resolver. Replace 192.168.77.0/24 with your LAN subnet or IP addresses of your devices that will have access to the internet. We name them “goodclients”. The “allow-query” defines that members of “goodclients” are allowed to submit queries to the DNS resolver. The last one is to put the address of dnscrypt-proxy into the “forwarders”. Restart bind:

sudo service bind9 restart

Test the bind install from one of the clients:

mach5@M5INX:~/Downloads$ dig @192.168.77.125 vimeo.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @192.168.1.125 vimeo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vimeo.com.            IN    A

;; ANSWER SECTION:
vimeo.com.        18    IN    A    74.113.233.128

;; Query time: 41 msec
;; SERVER: 192.168.1.125#53(192.168.1.125)
;; WHEN: Sun Nov 09 17:47:54 WIB 2014
;; MSG SIZE  rcvd: 542

The last step is to point your client to use the new DNS resolver as DNS Server. We can do this the same way that we did on the Y510p but using the resolver IP address instead of 127.0.0.2, or use the DHCP server on the router/wireless AP to do apply it to the clients. For example, this is how it looks on a Linksys wireless router: