How to set up a DNS cache server without port 53
my country, indonesia, is attempting to take over DNS functions in all the ISPs here.
thousands of sites including reddit, vimeo, and even (sometimes) github are blocked.
now this would not be so bad if the replacement DNS servers functioned properly and quickly. but they don't.
they are extremely slow and they seem to take a long time to update new entries.
i am running ubuntu servers (14.04) in my company. is it possible to set up a DNS cache server on my LAN which can be updated without using port 53? or without being intercepted by my ISPs?
if you have an answer, please explain slowly using big letters, as DNS issues always confuse me.
3 Answers
If your ISP (or your government) is intercepting your outgoing connection to port 53 then one thing you can do is set up a VPN to a server outside your country and route the DNS traffic through it. It will cost you a few $/month though. If this is an option search the net for "VPN servers". Don't be tempted to use a free VPN, DNS is way too important to depend on an unreliable and slow free VPN.
Update
Yes, the connection to the VPN could be slow and/or disrupted at times. You have to balance that against the slow/disrupted connection to the DNS server provided by your ISP. Sorry, can't tell you which solution would be worse, you will have to figure it out yourself.
"if a DNS caching server was set up on the VPN, could i set up another caching server on my local LAN which took it's updates from the VPN's DNS cache?" - yes, that is pretty much what I would do. Note that you have no control over what DNS server is set up at the VPN server but this can be part of your selection criteria for VPN providers.
1As sмurf wrote VPN and a DNS resolver on a virtual server in a more free country can be a good solution. I use OpenVPN for virtual private networking and Dnsmasq as a local resolver, as an internal authoritative server and as a DNS relay. DNS traffic goes through VPN is various directions. My experience with this setup is very positive. OpenVPN does not make the connection less reliable, actually the opposite is true. If the connection fails OpenVPN holds back the network packets until the connection is established again. Network programs don't notice anything even if the IP address of a road warrior changes. This does not really help DNS though, because of the short timeouts typically used in DNS. Anyway, here is the configuration I recommend:
- virtual server in a foreign country. Install OpenVPN on it. Regarding DNS you have more options, you can choose which is the most
simple for you:
- Use the virtual server as a router. You have to switch on forwarding in the kernel, nothing else and add firewall rules to prevent non-DNS traffic.
- Instead of renting a virtual server and setting up OpenVPN on it, I guess you can simply subscribe for a VPN service which uses OpenVPN, the result will be the same as in the previous option.
- Install Dnsmasq. Dnsmasq will act as a relay to the DNS resolvers provided by the hosting company.
- Install a full Bind resolver. You should choose this if you do not trust in the DNS resolvers of the hosting company. I have not tried this myself, but AFAIK it is simple.
- VPN server in your local internal network. Install OpenVPN on this server and setup the most simple point-to-point connection to the remote rented VPN. This will be a router, so enable forwarding here too.
- Caching DNS server in your local network. Install Dnsmasq here, it will be a caching DNS relay. Configure it to relay DNS requests to the DNS server(s) on the other end of the VPN. You have to setup a route here (ip route add ...), so packets sent to the remote DNS goes through your local VPN server.
The default configuration of Dnsmasq only allows 150 cache entry, you have to increase that for 60 users. Dnsmasq is designed for small networks, but they consider 60 users as a small network. It has the advantage that your configuration will be about two lines.
You can use a single server for the local DnsMasq and the local VPN server, if you want.
Since the OP mentioned he needs a gateway to shovel a LAN worth of computers, then, I suggest setting up a Squid Proxy in place and have it forward traffic to a hosted box in a more liberal country. A web proxy with a good amount of cache and local dns server is needed because high volume of traffic from your said IP to an IP geolocated in another state would attract suspicions, which would follow with banning said IP. Because of this, you need to have a local copy of a "good chunk of the free internet".
Since you do not need said hosted server for anything other than a gateway, then you could try a cheap host here..
Or, since IPv6 is not the norm yet for end user deployments, there's a high chance your IPS will not monitor that side of the fence, then you could sign up for a free IPv6 on IPv4 tunnel and dns resolver, from here
You could first try to see if any DNS servers on this list are banned:
Another solution would be to download and install Tor, which will encrypt all internet traffic.
- Other solution is to use a browser, such as firefox and set it up to use proxy server with DNS forwards over socks5 from this list:
More in general
"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"
