EDIT: So because of my $0 budget and the fact that my uptime is around 50% (PC, no additional servers) I ended up using NextDNS. For the time being it works (according to dnsleaktest), an added benefit was improved ad-blocking (100% in this tool). I now have plans for a proper router in the future with a Pi-hole. Thanks so much for all the info & suggestions, definitely learnt a lot.

So it turns out I got myself into an ISP that was shittier than expected (I already knew it was kinda shitty), they DNS hijack for whatever reason and I can’t manually set my own DNS on my router or even my devices.

Cyber security has never been my forte but I’m always trying to keep learning as I go. I’ve read that common solutions involve using a different port (54) or getting a different modem/router or just adding a router.

Are they all true? Whats the cheapest, easiest way of dealing with all of this?

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    Change the DNS servers on you devices to a DoT or DoH provider.

    The ISP can’t intercept and rewrite your requests if they are in a secure session.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    PiHole Network-wide ad-blocker (DNS sinkhole)
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network

    [Thread #56 for this sub, first seen 16th Aug 2023, 18:25] [FAQ] [Full list] [Contact] [Source code]

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    1 year ago

    On modern versions of Windows (and probably other OSes), you can configure it to use DNS over HTTPS with a service like Quad9 or Cloudflare, which will fix this.

    To do this across all your devices, even those that don’t support DoH, install AdGuard Home on a home server or Raspberry Pi or your PC if it’s always on. ISPs can’t intercept DoH requests. Then configure your router to set the DNS server to your AdGuard Home server.

  • z3bra@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    Setup a local DNS server in your local network, and configure it to forward everything to an external DNS provider over TLS (port 853 usually). This is known as DNS over TLS (or DoT as other people mentioned).

    I personally like https://cyberia.is

  • jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    So is your ISP blocking or redirecting outgoing requests on port 53? You said you can’t set dns servers on your own devices so I’m just trying to understand why that doesn’t work.

    • 3laws@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      So is your ISP blocking or redirecting outgoing requests on port 53?

      Correct.

      • jubilationtcornpone@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        Wow. What kind of bullshit ISP blocks outbound DNS requests? I would bitch loudly at them as they have no valid excuse for doing that. Anyway… In that case you have a few options. You can use DNS over https but that’s supported primarily by browsers. Not so much other desktop applications. I would get a router that’s capable of WireGuard and connect it to ProtonVPN (or another VPN service of your choice). You don’t have to route all traffic over VPN if you don’t want to but at least you’ll be able to use whatever DNS server you want.

        • Moonrise2473@feddit.it
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          In Italy Vodafone blocks that request for “safety” and they were forcing users to use a custom proprietary shitty router where you could barely change the wifi password

      • Snowplow8861@lemmus.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        The bypass is to run your own router, distribute locally hosted dns servers (either the router or pihole) and the dns servers get their lookups over dns over https (443) and your provider can’t intercept that since it looks like regular encrypted Web traffic just like they shouldn’t be able to inspect your netbank.

        Australia is different but these isps who do that generally have a +$5 per month plan to go to a static public rout able public Up (instead of cgnat) and unfiltered Internet. They usually are more allowing mum and dad to filter the Web so their kids can’t get too far off track. Maybe just double check on your ISP portal settings but I’m going to assume you’re not in aus.

        • 3laws@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I’m in MX. It’s not like they actually care about giving the consumer proper permissions. The “business” solution keeps the DNS shenanigans.

  • MangoPenguin@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Set up your router to use DNS-over-HTTPS if it supports it.

    If not you can install Adguard Home somewhere, set your devices to use that for DNS, and set it to use DNS-over-HTTPS for the upstream servers.

  • Morgikan@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Just throwing out a couple of other solutions I didn’t see mentioned for DoH/DoT:

    1. CoreDNS
    2. Blocky

    Both of those support encryption and allow for DNSBL. If you are wanting to hand out DNS entries over DHCP it may a problem with your ISPs router there. Either replace it, sit one you do control between it and your network, or run DHCP snooping from a switch to restrict it’s DHCP.

  • ShitpostCentral@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    3
    ·
    1 year ago

    Look into Pi-hole. It’s an easy-to-setup DNS server which can run on a Raspberry Pi (or a Linux desktop/server if you have one.) You can then set your devices’ DNS servers to the local address where the Pi-hole is running. Since it would be running on your local network, any requests to it shouldn’t go through your ISP in the first place. I’d still recommend getting your own router anyways because this kind of ISP fuckery is more common than you’d expect. Plus, your exact configurations follow you anywhere you move. If you do end up getting one, set the local DNS server in the DHCP settings of your router to avoid having to set it on each device.

    • vector_zero@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Doesn’t the RPi still go through the ISP? You’d still have to find a way to bypass their hijacking attempts, just on a different device this time.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        You’d have to use DNS over HTTPS, DNS over TLS, or DNS over QUIC. As far as I know, PiHole doesn’t support these out-of-the-box, so AdGuard Home is a better choice (it’s like PiHole but more powerful).

        I know PiHole had plans to implement this though, so maybe they do support it now.

    • A Mouse@midwest.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Using your own router is the best way, I just finished setting up DoH, I am using a router with OpenWRT, so installed https-dns-proxy with luci-app-https-dns-proxy. It has options to hijack DNS so that all local devices will be routed to the router DNS even if they try to use a DNS server directly.

      More information can be found here.

    • MangoPenguin@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Adguard home is a better choice as it supports DoT and DoH, which OP will need to use to be able to bypass their ISPs DNS hijacking.

      Pihole only supports unencrypted DNS on port 53 which is what the ISP is targeting.

  • m_randall@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    2
    ·
    1 year ago

    Why can you not set your own DNS on your devices?

    If you mean you can’t set your DNS automatically that would be due to DHCP. You can setup your own DHCP server and set the DNS IP to whatever you want (8.8.8.8 etc).

    PiHole should handle all this for you all while blocking ads and being a local DNS resolver.

    • 3laws@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Why can you not set your own DNS on your devices?

      I can, they get redirected to my ISPs DNS, no matter what. This was not an issue with my pervious company.

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          1 year ago

          Often, if you try to go to a non-existent domain, it’ll still return an IP address that loads a “this site doesn’t exist” page hosted by the ISP, often full of sponsored links, similar to a domain parking page.

          It’s trivial to do this. DNS requests are unencrypted and can easily be modified by an ISP, even if you use a custom DNS server like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. You need DNS over HTTPS or a similar technology to prevent this happening.

          • ares35@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            hijacking dns is also my provider’s first action when you’re late paying the bill. by ip or doh or a long-lived dns cache and you’re still going, but anything looked-up via a ‘regular’ dns server goes nowhere. that gets you another 2-3 weeks until they deny the modem from even authenticating.