Answer the question
In order to leave comments, you need to log in
How to fight off DNS spoofing by provider?
Hello! Please do not kick the kettle too much.
Situation: banal. Prov replaces dns. It seems that it is easier for him, because. blocking of prohibited sites is implemented exclusively in this way. In general, I don’t care, but because of this nonsense I can’t use adguard dns, for example. Skips ads quietly. There is an external ovpn-server.
What I did:
1. Disabled Peer dns.
2. Through Mikrotik, I give adguard dns to clients (for example).
3. Added routes to dns through vpn.
4. Everything works. There seems to be no change.
What does not work:
There are several devices on the network that are convenient to work with via static DNS by name. Well, I would also like to cache, because. vpn far.
As soon as I turn on allow remote and distribute the address of the router as dns to clients, everything is the same.
My assumptions: Traffic from clients to dns goes encrypted through vpn. When you enable your own DNS on Mikrotik, the latter accesses the DNS directly.
Question: What to do?
Many thanks in advance to everyone who did not pass by!
Answer the question
In order to leave comments, you need to log in
To make interception and substitution of 53 udp is elementary. Mikrotik does not seem to implement anything like dns over ssl or dnscrypt out of the box to protect against this. But with the help of simple firewall manipulations, you can redirect a dns server to yourself, which hangs on a different port, for example.
1) intercept user DNS so as not to depend on user settings
2) put adguard dns in ip dns on Mikrotik, or whatever you need
3) mark DNS traffic in the mangle
4) put marked traffic into the VPN tunnel
maybe my answer will seem primitive to you and so on, but Layer7 and package labeling save you from this.
not a solution, but a good example of where to dance
I deployed DNSCrypt in a docker virtual machine on a server inside the network specifically for this purpose. As DNS servers in the settings of DHCP servers and in the settings of network interfaces of static clients, the IP of the virtual machine with DNSCrypt is specified. This is probably a little overkill, but, firstly, there is where to deploy, and secondly, because I can) But in fact, really some kind of raspberry is enough with DNSCrypt or something else. But I did not study alternatives, simply because the method I use suits me completely.
On MikroTik, set AdGuard DNS in ip/dns. Dynamic DNS should not be.
Check the Allow Remote Requests checkbox. Give clients the MikroTik address as a DNS server to the network via DHCP. Make sure they get what they need.
In ip/routes on MikroTik, create routes to AdGuard DNS addresses through the tunnel.
On the VPN server, configure src-nat for connections from the tunnel so that replies reach.
Clean out the DNS cache everywhere just in case.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question