[Dnsmasq-discuss] dnsmasq to provide public DNS service

Mark Steward marksteward at gmail.com
Thu Jul 14 02:56:50 BST 2016


Just read the last few emails again. Your ISP may well be doing deeper
inspection and blocking TCP-based DNS too.

I've just tried the following on one of my boxes:

sudo dnsmasq -d -i* -p7821

and on another:

dig -p7821 @myhost.tld google.com

and it worked fine.

If this works for you, please remember to set up port knocking. Or set up
something sensible, like a VPN or tunneling over SSH.

Mark

On 14 Jul 2016 02:32, "Mark Steward" <marksteward at gmail.com> wrote:

> I'm not sure about that conclusion. The overwhelming likelihood is that
> your ISP is blocking UDP on port 53. This is very common on domestic ISPs,
> precisely to stop people shooting themselves in the foot by running open
> resolvers.
>
> I've only skim-read this thread. Did you properly test listening on UDP 53
> with nc -u -l53 or equivalent? Could you reach it from another machine on
> the internet? If not, that's your problem, not dnsmasq.
>
> If you do convince your ISP to open up access, can I recommend you at
> least use port knocking to reduce the likelihood of being used by botnets?
> Honeypots demonstrate that an open service on IPv4 will often be picked up
> in hours.
>
> Mark
>
> On 14 Jul 2016 01:57, "T o n g" <mlist4suntong at yahoo.com> wrote:
>
>> On Sun, 10 Jul 2016 21:50:03 +0200, Albert ARIBAUD wrote:
>>
>> > Regarding running the DNS on TCP alone: problem is, you might force the
>> > dig command to use TCP, but that's a specific case; all DNS resolutions
>> > happening on your machine in any other process that dug will keep on
>> > trying UDP first when the request size warrants it, because that's the
>> > standard.
>>
>> That's not a problem for me. If I have to use TCP, then I'll always use
>> `dig +tcp`, so UDP will never be in the way.
>>
>> > OK, so no blocking at your box level except for what fail2ban may decide
>> > to block. Now we're faily sure your probelm is with either your ISP or
>> > your hosting provider.
>>
>> After struggled for a few days, I finally decided that I should reply, to
>> bring some closure on this. Thank you for all these days of your tireless
>> help. However, my conclusion is still the same as my first post -- dnsmasq
>> is unable to provide public DNS service -- It can be used as DNS server
>> for local host, or local network, but just not for the general public.
>> We've ruled out everything possible, and the only thing left is dnsmasq.
>>
>> I.e., if there is any probelm with my ISP or my hosting provider, I
>> wouldn't have been able to start a working second SSH session listening
>> to port 53 (instead of 22).
>>
>> In other words, all else the same, swap in SSH to listen to port 53, it
>> works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is
>> the only problem.
>>
>> Thanks anyway for all your helps.
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160714/1a90a080/attachment.html>


More information about the Dnsmasq-discuss mailing list