Tips for asking ISP to allow for using my own DNS setup for self-hosted VPN?

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨AlecStewart1st@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hello, friends.

So I’ve had my Pi-Hole setup for awhile now and it’s great. I’d like to get Wireguard working with it, too, so I could browse the internet without loads of ads and trackers on the go.

However, small issue. All DNS traffic is forcibly routed to my ISP. If you need some details, I made this post on the Pi-Hole userspace.

I’m in America and my ISP is Spectrum. I was wondering if there’s a way I could convince technical support to allow me to use a recursive DNS for privacy/security (more-so the second of the two) purposes, or if it is even possible to convince them to do this. I don’t know if there’s a specific number I should contact, email I should email to, or if I just have to endure the nightmare of getting passed around by customer service one Saturday. Any recommendations would be great.

An interesting note for anyone who’s ISP is Spectrum, their DNS service, at least for me, uses OpenDNS with dnsmasq-2.57. That version of dnsmasq is over 10 years old. You see if this is the case for you with

dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

Or something similar if those IP addresses are different for you. You can see that running those commands were a part of the steps I was asked to take in that Pi-Hole userspace post.

source

Comments

Sort:hotnew top

Tenkian@lemmy.world ⁨1⁩ ⁨year⁩ ago
Another option you can have, install the cloudflared service on your pihole and use that as a DNS server. Cloudflared can take DNS requests from your clients and then proxy those requests over DoT to an upstream server which supports DNS over TLS. I have used Google in the past for this. I had great success with this solution inside a corporate environment which blocked port 53 to all outside the network.

source
- ChrislyBear@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Could you elaborate on this please? Isn’t cloudflared a tunnel INTO the machine running a service? Can you use the same tunnel for outbound traffic as well?? Where does the traffic end up? How does this work?
  
  source
  - blackstrat@lemmy.fwgx.uk ⁨1⁩ ⁨year⁩ ago
    Cloudlfared with pihole is the right way to go here
    
    docs.pi-hole.net/guides/dns/cloudflared/
    
    source
psud@lemmy.world ⁨1⁩ ⁨year⁩ ago
You can have your own machine do DNS lookups, a Linux box with BIND, and any other of your computers can have the DNS resolver set to that machine

You need to forward port 53 from your router (usually a wifi router) to the machine running the DNS

source
di5ciple@lemmy.world ⁨1⁩ ⁨year⁩ ago
I choose not to open any ports to the Internet for security reasons. But use tailscale to allow access to my home network while im away. It was an easy setup and can put it on all my devices.

source
suprjami@lemmy.sdf.org ⁨1⁩ ⁨year⁩ ago
Can you force all DNS via TRR (aka DNS-over-HTTPS)?

I don’t know what Pi-Hole is capable of but that’s possible on open source routers like OpenWrt.

source
redcalcium@lemmy.institute ⁨1⁩ ⁨year⁩ ago
Oh, your ISP very shitty, is just like mine! My solution is by using several upstream DNS servers that listen on alternate ports (so the requests are not intercepted by my ISP), and using TLS and QUIC (can’t intercept it because it’s encrypted).

My Adguard upstream DNS settings:

tls://1.1.1.1 tls://1.0.0.1 tls://8.8.8.8 tls://8.8.4.4 tcp://9.9.9.9:9953 udp://9.9.9.9:9953 quic://unfiltered.adguard-dns.com

source
- YonatanAvhar@programming.dev ⁨1⁩ ⁨year⁩ ago
  Why do ISPs put in the extra effort to make their service shittier? What benefit do they gain from forcing more load to their DNS servers?
  
  source
  - housepanther@lemmy.goblackcat.com ⁨1⁩ ⁨year⁩ ago
    This is purely a money move. They want to sell statistical data if I had to guess. I use DoT with Unbound because fuck Verizon.
    
    source
  - redcalcium@lemmy.institute ⁨1⁩ ⁨year⁩ ago
    My country has a national block list that must be followed by all ISP. Last year, they even went an extra mile to enforce the DNS hijacking at internet backbone level, so if any ISP neglect to do it, it’ll still get enforced by the national internet backbone.
    
    My ISP is fully embracing this system, to the point of performing deep packet inspection to enforce the national block list. Any blocked domain will return an IP address containing a web page full of ads (basically saying that the domain is blocked, here are some ads instead)I guess it’s profitable for them to do this. They also blocked Netflix using this system for years until Netflix caved in and partner with the ISP to sell subscription (yay for no net neutrality I guess).
    
    source
housepanther@lemmy.goblackcat.com ⁨1⁩ ⁨year⁩ ago
You would have to implement DNS over TLS. To do this, it’s probably easiest to use Unbound and a service like Cloudflare or OpenDNS upstream.

source