How to make Firefox use TCP for DNS

Question

I want to use TCP for DNS, to bypass my ISP's slow and broken DNS servers. I'm not using (and don't want to use) a proxy.

Note: I want to use DNS over TCP because if I use it over udp, no matter what server I set, I get answers from my ISP's DNS.

Notice that I will fiercely downvote whoever suggests:

• programs to do TCP over DNS,
• the setting in about:config to make DNS go over the proxy too: I'm not using a proxy,
• use another DNS: I've already set up Google as my DNS, but I get intercepted.

Example of what I mean by saying intercept:

$ dig @8.8.8.8 thepiratebay.se

; <<>> DiG 9.8.1 <<>> @8.8.8.8 thepiratebay.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thepiratebay.se.               IN      A

;; ANSWER SECTION:
thepiratebay.se.        28800   IN      A       83.224.65.41

;; Query time: 50 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 16 22:51:06 2012
;; MSG SIZE  rcvd: 49

$ dig +tcp @8.8.8.8 thepiratebay.se

; <<>> DiG 9.8.1 <<>> +tcp @8.8.8.8 thepiratebay.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thepiratebay.se.               IN      A

;; ANSWER SECTION:
thepiratebay.se.        436     IN      A       194.71.107.15

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 16 22:51:10 2012
;; MSG SIZE  rcvd: 49

If it matters, I'm using Firefox 14 on Gentoo Linux.

Answer 1

Install Unbound, and just change "tcp-upstream: no" to "yes" in the unbound.conf config file.

# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no

And in order to resolver everything through an upstream resolver, add something like:

forward-zone:
    name: "."
    forward-addr: 213.154.224.3

You can also use dnssec-trigger, a convenient user interface for Unbound, that configures it to tunnel everything through an SSL connection.

Answer 2

One way to get round the ISP issue is to run your own, local, DNS server. This isn't especially difficult on Linux.

There is a previous, related question that covers some of the relevant points: What to do when an ISP intercepts NXDOMAIN requests? And another article here.

DNSsec (WikiPedia) should remove this problem in the long term. Also DNSCrypt from OpenDNS fixes the issue but only for Mac and Windows workstations.

There are a number of good articles on setting up your own DNS:

• Ubuntu
• Redhat
• Debian

Answer 3

If you are using glibc you can use the undocumented use-vc option (see resolv/res_init.c in the glib source code) which forces the libc resolver to always use TCP.

Either set it globally in resolv.conf:

options use-vc nameserver 1.2.3.4

Or pass the option in the environment:

RES_OPTIONS=use-vc firefox

It will not work if the application implemented its own support for DNS without using the libc res_init/res_query/… functions. It's working with Firefox (probably as long as you are not using the "remote DNS" option in the SOCKS proxy settings).

Answer 4

make Firefox use TCP for DNS?

You can't

Firefox doesn't make that decision, it just calls an operating system API like gethostbyname()

The operating system resolver hands that off to a DNS server.

You might think you could set up your own internal DNS server and configure that to only use TCP.

Here's a relevant post from someone who probably knows more about DNS than anyone else.

08-11-2008 03:20 AM

Re: Is it possible to force BIND to use TCP exclusively?

"Joe Baptista" writes:

Are there any configuration changes that can be made to BIND to force it to use TCP exclusively and never use UDP? Possible?

no.

--
Paul Vixie

Probably anyway

In theory you can find, write or modify a DNS forwarder that does what you want.

In theory you may be able to find or write a Firefox plugin that intercepts and replaces any calls to gethostbyname() with custom DNS client code - I've no idea if the Firefox plugin architecture makes this possible but it might be worth a look.

Answer 5

I had the same problem. It turned out to have nothing to do with any setting in Firefox, any setting in the OS, or TCP vs. UDP. The problem is really in the router from your ISP. It's intercepting all "port 53" traffic and rerouting it to your ISP's DNS servers. The rerouting is done by rewriting both sent and received packets (similar to NAT) in such a way that you can't tell what happened (the address of the DNS server in the packets appears to be the one you intended, even though the packet really went to the ISP's own DNS server).

Access your router (often by web browsing to 192.168.1.1 and entering a name and password), find the place where it says DNS server, and change that address from your ISP's DNS server to the one you really want to use (OpenDNS? Google? ...?).

The router config will almost certainly make it appear that address is only used by the router itself. It probably won't say anything about intercepting or about your computer. Don't believe it. DNS interception by routers is intended to keep SOHO users from temporarily bypassing a filtered DNS to look at an illicit site, and as such is a big secret: so minimally documented it usually appears to not even exist.

Answer 6

Use dnscrypt+unbound. By default dnscrypt sends out dns queries to OpenDNS on 443/udp.

I haven't figured out a way to tunnel this dns service to other machines on my LAN though. No mothod works, not netcat, socat, or udptunnel.

Answer 7

Use Google's public DNS servers. They are fast and reliable. Here are directions to use them on a variety of OSs.

Answer 8

Try blocking outgoing UDP DNS requests using iptables:

iptables -A OUTPUT -p udp --dport 53 -j REJECT

The lookup should fail for UDP and then (hopefully) be retried using TCP.

Answer 9

Eventually, you can go the way many TPB users go and use TOR or a VPN service.