Transparent DNS proxies

Some ISP’s are now using a technology called ‘Transparent DNS proxy’.

Using this technology, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results.

This effectively forces you to use their DNS service for all DNS lookups.

If you have changed your DNS settings to use an ‘open’ DNS service such as Google, Comodo or OpenDNS,

expecting that your DNS traffic is no longer being sent to your ISP’s DNS server,

you may be surprised to find out that they are using transparent DNS proxying.


DNSCrypt encrypts and authenticates DNS traffic between user and DNS resolver.

While IP traffic itself is unchanged, it prevents local spoofing of DNS queries,

ensuring DNS responses are sent by the server of choice.



DNSCrypt is a protocol for securing communications between a client and a DNS resolver,

preventing spying, spoofing or man-in-the-middle attacks.

To use it, you’ll need a tool called dnscrypt-proxy,

which “can be used directly as your local resolver or as a DNS forwarder,

authenticating requests using the DNSCrypt protocol and passing them to an upstream server”.

$ apt-get install dnscrypt-proxy

# vim /lib/systemd/system/dnscrypt-proxy.socket

# vim /etc/resolv.conf

# no needs to run manually, currently run with system and listen on ``
## dnscrypt-proxy  -R adamas  --local-address=

# systemctl status dnscrypt-proxy
$ sudo vim /etc/default/dnscrypt-proxy
    # https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
    DNSCRYPT_PROXY_RESOLVER_NAME=4armed # cisco, cs-cfi, cloudns-syd ..

The dnsmasq can be used as both dhchp and dns server.

Here we configure it to use with dnscrypt-proxy

$ dnsmasq
# vim /etc/dnsmasq.conf
# systemctl restart  dnsmasq

Now you can see all your dns query is secured with type quic on the filter box of wireshark

And view related listening port:

# netstat -uanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0  *                           1/init
udp        0      0    *                           3089/dnsmasq
udp        0      0    *                           2000/dhclient
udp        0      0    *                           2221/dhclient
udp        0      0 *                           853/dnscrypt-proxy
udp6       0      0 :::53                   :::*                                3089/dnsmasq




$ /etc/resolv.conf

Normally the resolvconf program is run only by network interface configuration programs such as ifup(8),

ifdown, NetworkManager(8), dhclient(8), and pppd(8); and by local nameservers such as dnsmasq(8).

These programs obtain nameserver information from some source and push it to resolvconf.

$ resolvconf
$ /etc/network/interface



dnssec-trigger and unbound

# apt-get inastall dnssec-trigger
# apt-get inastall unbound

How do install dig?

$ sudo apt-get install dnsutils


Disable builtin dnsmasq on the network manager

$ pstree -sp $(pidof dnsmasq)
$ lsof -i :53
$ netstat -uanp
$ sudo vim /etc/NetworkManager/NetworkManager.conf

    # dns=dnsmasq

$ sudo service network-manager restart
$ sudo service networking restart
$ killall -9 dnsmasq


Deploying a DNS Server using Docker


$ docker run --name bind -it --rm \
    --publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp \
    --volume /srv/docker/bind:/data \

We create the forward zone example.com by selecting Create master zone and in the Create new zone dialog set the Zone type to Forward, the Domain Name to example.com, the Master server to ns.example.com and set Email address to the domain administrator’s email address and select Create. Next, create the DNS entry for ns.example.com pointing to and apply the configuration

To complete this tutorial we will create a address (A) entry for webserver.example.com and then add a domain name alias (CNAME) entry www.example.com which will point to webserver.example.com.

To create the A entry, select the zone example.com and then select the Address option. Set the Name to webserver and the Address to To create the CNAME entry, select the zone example.com and then select the Name Alias option. Set the Name to www and the Real Name to webserver and apply the configuration.

And now, the moment of truth

$ host webserver.example.com
$ host www.example.com

The is address of dns server( local host machine)

Resolve all domain name to specific IP

$ sudo vim /etc/hosts example.com www.example.com
$ sudo apt-get install dnsmasq

$ sudo vim  /etc/dnsmasq.conf
$ sudo vim /etc/dnsmasq.d/demo.conf
$ sudo systemctl restart dnsmasq

The is address of dns server( local host machine)