3
Basically, if I changed my DNS server to Google's or OpenDNS. DNS queries stop functioning. Only when I use the school's DNS server, does everything work flawlessly. Why would they force you to use their DNS servers? How it is achieved technically?
Thanks
Gregorio Di Stefano
Posted 2011-10-21T16:04:43.490
Reputation: 220
8
Why would they force you to use their DNS servers.
You would need to ask them to know for sure. Of the top of my head, here are a few possible reasons.
To reduce problems (and maybe support calls) caused by incorrectly configured DNS Servers.
They may also have internal websites and systems whose addresses aren't published and hence would not be known to external dns servers.
Some viruses change the dns server on their victims computers. (This means you could type mail.google.com or try to login to your bank and end up at a specially crafted website designed to capture your logon details). By forcing you to use their servers, they protect you from that type of attack (assuming their servers are clear). (Note, this doesn't stop viruses from messing around with your hosts file to achieve the same result).
How it is achieved technically?
They can configure their firewall to block outgoing DNS, ie port 53, from anything other their dns servers.
sgmoore
Posted 2011-10-21T16:04:43.490
Reputation: 5 961
1Also, as a cheap content blocking solution. E.g block torrent sites domains in their DNS server, block third-party DNS, presto! – haimg – 2011-10-21T16:55:28.803
1@sgmoore: DNS traffic uses UDP port 53 not TCP! – Robert – 2011-10-21T18:43:29.280
1@Robert: My mistake. I changed my message to say 'port 53' as I believe DNS can sometimes use tcp, but normally it would use UDP. – sgmoore – 2011-10-21T19:01:16.887
3@Robert It can use either TCP or UDP. Typically UDP is used for most queries and TCP is used for zone transfers. But DNS servers ought to be equally capable of doing both. If you have access to dig, try this: dig +tcp @8.8.8.8 yahoo.com. You'll be using TCP to query Google's public DNS server. – Barry Brown – 2011-10-21T19:03:18.140
TCP is also typically used to retry queries whose answers were truncated for some reason. – Kyle Jones – 2012-03-31T16:59:15.937
0
It's possible for a gateway device, such as a router, to "transparently redirect" traffic that has certain criteria, such as "outgoing traffic to any IP on UDP port 53" to a different IP. UDP-based services are quite easy to do this with as they are "connectionless."
Another reason it may be setup up this way is that they are depending on DNS-level blocking to prevent certain websites from loading.
Linux iptables has this capability if it is set up as a router.
LawrenceC
Posted 2011-10-21T16:04:43.490
Reputation: 63 487
I don't really think this is off-topic, but maybe it would be better on Server Fault? I dunno, it might be a little soft for them. – Shinrai – 2011-10-21T16:21:54.990