DNS on nonstandard ports

Cobra

2009-06-21 12:24

Of course, everyone knows how to select an alternative DNS server.

Many people, however, fear that this step alone will fail to guarantee an uncensored (and unlogged) access of the web in the foreseeable future. They are afraid that providers will be forced to redirect all requests bound to port 53 to their own DNS servers, which will of course be censored, monitored and logged. This, it seems, is our dystopian reality, and we have to deal with it.

IMHO, the easiest way to query DNS servers on nonstandard ports is the installation of pdnsd (not related to pdns aka PowerDNS, but the pdnsd of Paul Rombouts) which should be available on the repositories of your distribution. Just install it, and do the following:

First of all, edit /etc/pdnsd.conf:

global {
    perm_cache=65536;
    cache_dir="/var/cache/pdnsd";
#   pid_file = /var/run/pdnsd.pid;
    run_as="pdnsd";
    server_ip = 127.0.0.1;      # Use eth0 here if you want to allow other machines
                     on your network to query pdnsd.
    status_ctl = on;
    paranoid=on;
    query_method=tcp_udp;       # pdnsd must be compiled with tcp query support for this to work.
    min_ttl=15m;            # Retain cached entries at least 15 minutes.
    max_ttl=4w;         # Four weeks.
    timeout=10;             # Global timeout option (10 seconds).
    neg_rrs_pol=on;         # see https://wiki.archlinux.org/index.php/Pdnsd
    par_queries=1;          # see https://wiki.archlinux.org/index.php/Pdnsd
}

# The following section is most appropriate for fixed connections to the Internet.
server {
    label= "uncensored";
    ip = 85.214.20.141,         # h1768020.stratoserver.net (Foebud,DE)
         80.237.196.2,      # dnsc1.dtfh.de (CCC, DE)
         213.73.91.35,      # dnscache.berlin.ccc.de (CCC, DE)
         194.150.168.168,       # dns.as250.net (CCC, DE)
         62.75.219.7,       # awxcnx.de (German Privacy Foundation, DE)
         87.118.100.175,        # ns.anon.privacyfoundation.de (German Privacy Foundation. DE)
         94.75.228.29,      # privacybox.de (German Privacy Foundation, NL)
         87.118.104.203,        # spftor1.privacyfoundation.de (German Privacy Foundation, DE)
         194.8.57.12,       # ns.n-ix.net (Nürnberger Internet eXchange, DE)
         194.95.202.198;        # omni.digital.udk-berlin.de (Universität der Künste, DE)
#   port = 110;         # German Privacy Foundation accepts queries on this nonstandard port 😉
    proxy_only=on;          # Do not query any name servers beside those above.
    timeout=4;              # Server timeout; this may be much shorter that the global timeout option.
    uptest=if;
    interface=eth0;
    interval=10m;           # Check every 10 minutes.
    purge_cache=off;        # Keep stale cache entries in case the ISP's DNS servers go offline.
}

Second, edit your /etc/resolv.conf:

nameserver 127.0.0.1

Third, and only if you'd like to have a nonvolatile DNS cache, issue 'chown -R pdnsd:pdnsd /var/cache/pdnsd'

Fourth, start the service. 😉

Fifth, you can check the status of your DNS cache by issuing 'pdnsd-ctl status' as root.

Update (08/09/09): included the nameservers in the ZDNet-List.

Second update (05/09/13): refreshed server list.