Transparent DNS proxies

Some ISP’s are now using a technology called ‘Transparent DNS proxy’.

Using this technology, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results.

This effectively forces you to use their DNS service for all DNS lookups.

If you have changed your DNS settings to use an ‘open’ DNS service such as Google, Comodo or OpenDNS,

expecting that your DNS traffic is no longer being sent to your ISP’s DNS server,

you may be surprised to find out that they are using transparent DNS proxying.


DNSCrypt encrypts and authenticates DNS traffic between user and DNS resolver.

While IP traffic itself is unchanged, it prevents local spoofing of DNS queries,

ensuring DNS responses are sent by the server of choice.



DNSCrypt is a protocol for securing communications between a client and a DNS resolver,

preventing spying, spoofing or man-in-the-middle attacks.

To use it, you’ll need a tool called dnscrypt-proxy,

which “can be used directly as your local resolver or as a DNS forwarder,

authenticating requests using the DNSCrypt protocol and passing them to an upstream server”.

Check current local DNS service:

$ sudo ss -lp 'sport = :domain'

    Netid     State       Recv-Q      Send-Q     Local Address:Port       Peer Address:Port
    udp       UNCONN      23040       0*    users:(("systemd-resolve",pid=948,fd=12))
    tcp       LISTEN      0           128*    users:(("systemd-resolve",pid=948,fd=13))

Disable systemd-resolve service according to the above output:

$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved

Check current local DNS service again:

$ sudo ss -lp 'sport = :domain'

Uninstall old version:

$ sudo apt-get purge dnscrypt-proxy

Install new version:

$ sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
$ sudo apt update
$ sudo apt install dnscrypt-proxy


$ sudo cat /etc/resolv.conf

    # Generated by NetworkManager
$  cat /etc/dnsmasq.d/dnscrypt-proxy

    # Redirect everything to dnscrypt-proxy

Now you can see all your dns query is secured with type quic on the filter box of wireshark

And view related listening port:

# netstat -uanp

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    udp        0      0  *                           1/init
    udp        0      0    *                           3089/dnsmasq
    udp        0      0    *                           2000/dhclient
    udp        0      0    *                           2221/dhclient
    udp        0      0 *                           853/dnscrypt-proxy
    udp6       0      0 :::53                   :::*                                3089/dnsmasq

Check service status:

$ sudo systemctl status dnscrypt-proxy






$ /etc/resolv.conf

Normally the resolvconf program is run only by network interface configuration programs such as ifup(8),

ifdown, NetworkManager(8), dhclient(8), and pppd(8); and by local nameservers such as dnsmasq(8).

These programs obtain nameserver information from some source and push it to resolvconf.

$ resolvconf
$ /etc/network/interface



dnssec-trigger and unbound

# apt-get inastall dnssec-trigger
# apt-get inastall unbound

How do install dig?

$ sudo apt-get install dnsutils


Disable builtin dnsmasq on the network manager

$ pstree -sp $(pidof dnsmasq)
$ lsof -i :53
$ netstat -uanp
$ sudo vim /etc/NetworkManager/NetworkManager.conf

    # dns=dnsmasq

$ sudo service network-manager restart
$ sudo service networking restart
$ killall -9 dnsmasq


Deploying a DNS Server using Docker


$ docker run --name bind -it --rm \
    --publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp \
    --volume /srv/docker/bind:/data \

We create the forward zone example.com by selecting Create master zone and in the Create new zone dialog set the Zone type to Forward, the Domain Name to example.com, the Master server to ns.example.com and set Email address to the domain administrator’s email address and select Create. Next, create the DNS entry for ns.example.com pointing to and apply the configuration

To complete this tutorial we will create a address (A) entry for webserver.example.com and then add a domain name alias (CNAME) entry www.example.com which will point to webserver.example.com.

To create the A entry, select the zone example.com and then select the Address option. Set the Name to webserver and the Address to To create the CNAME entry, select the zone example.com and then select the Name Alias option. Set the Name to www and the Real Name to webserver and apply the configuration.

And now, the moment of truth

$ host webserver.example.com
$ host www.example.com

The is address of dns server( local host machine)

Resolve all domain name to specific IP

$ sudo vim /etc/hosts example.com www.example.com
$ sudo apt-get install dnsmasq

$ sudo vim  /etc/dnsmasq.conf
$ sudo vim /etc/dnsmasq.d/demo.conf
$ sudo systemctl restart dnsmasq

The is address of dns server( local host machine)

Disable systemd-resolved

That systemd-resolved cannot be uninstalled, but can be disabled with the following commands:

$ sudo systemctl disable systemd-resolved.service
$ sudo systemctl stop systemd-resolved

Check possibly already listening to port 53

$ ss -lp 'sport = :domain'

Install proxychains4

$ apt-get install proxychains4
$ proxychains4 curl google.com