How to make Firefox use TCP for DNS

I want to use TCP for DNS, to bypass my ISP's slow and broken DNS servers. I'm not using (and don't want to use) a proxy.

Note: I want to use DNS over TCP because if I use it over udp, no matter what server I set, I get answers from my ISP's DNS.

Notice that I will fiercely downvote whoever suggests:

programs to do TCP over DNS,
the setting in about:config to make DNS go over the proxy too: I'm not using a proxy,
use another DNS: I've already set up Google as my DNS, but I get intercepted.

Example of what I mean by saying intercept:

$ dig @8.8.8.8 thepiratebay.se

; <<>> DiG 9.8.1 <<>> @8.8.8.8 thepiratebay.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thepiratebay.se.               IN      A

;; ANSWER SECTION:
thepiratebay.se.        28800   IN      A       83.224.65.41

;; Query time: 50 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 16 22:51:06 2012
;; MSG SIZE  rcvd: 49

$ dig +tcp @8.8.8.8 thepiratebay.se

; <<>> DiG 9.8.1 <<>> +tcp @8.8.8.8 thepiratebay.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thepiratebay.se.               IN      A

;; ANSWER SECTION:
thepiratebay.se.        436     IN      A       194.71.107.15

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 16 22:51:10 2012
;; MSG SIZE  rcvd: 49

If it matters, I'm using Firefox 14 on Gentoo Linux.

miniBill

Posted 2012-09-16T19:27:47.180

Reputation: 258

Is this from a fixed network? Eg. a home network? If so, have you tried running your own DNS?

– Julian Knight – 2012-09-16T19:58:04.930

Not really an answer for you so I'll leave it as a comment. OpenDNS offer a Windows and Mac client DnsCrypt that should fix this

– Julian Knight – 2012-09-16T20:01:58.153

@JulianKnight yeah, it is. Running my own DNS could be an idea. If you write it as an answer I'll upvote and eventually accept as answer if no better ideas are found – miniBill – 2012-09-16T20:13:42.207

Firefox may be using the OS'es socket interface for DNS resolution as well, so it may not even control how DNS is done. – billc.cn – 2012-09-16T20:24:53.217

@JulianKnight: also, are there specific settings to put in named.conf? Because with the default config it keeps getting intercepted... – miniBill – 2012-09-16T20:35:37.763

@billc.cn Firefox can control how it does DNS, for example when you use a proxy – miniBill – 2012-09-16T20:36:30.947

You won't be able to do this since most DNS servers don't listen on TCP. It's mostly used only for large zone transfers. Your best bet would be to run a local, caching name server (e.g. dnsmasq) and set up your hosts to use that server. – Keith – 2012-09-17T03:11:03.443

@Keith google's does. Let's say that I use dnsmasq, my ISP will still intercept dns requests and route them to their server... – miniBill – 2012-09-17T09:07:28.807

Not an answer: I want to use DNS over TCP because if I use it over udp, no matter what server I set, I get answers from my ISP's DNS. Your ISP is horrible, please switch it or complain to them. – Bobby – 2012-09-17T09:36:39.817

@miniBill Can you point me to a reference explaining how Google DNS uses TCP? And how to configure it? Thanks. – Keith – 2012-09-17T14:00:45.770

Change ISPs to one that actually gives you Internet access. DNS servers are part of the Internet and you are entitled to access them. – David Schwartz – 2013-01-29T19:19:27.930

@Bobby well, I'd do it, but as this is almost my only complaint and I can easily route around it, I'm keeping them :) – miniBill – 2013-01-29T19:39:39.413

@Keith almost every DNS server will answer TCP queries. Personally, I was able to use Frank's answer for me ^^ – miniBill – 2013-01-29T19:40:51.050

@miniBill: Your "only" complaint is that they don't actually give you Internet access? That's their only job, and they don't do it. – David Schwartz – 2013-01-29T19:42:20.393

@miniBill If they didn't I wouldn't be here speaking with you :D Besides, I can route around their limitations and, notwithstanding them, they have a pretty nice bang for the buck – miniBill – 2013-01-29T19:45:03.577

You should report your ISP behavior to the internet authority in your country. Unless you're @ China, I believe EFF can help you with that.

– jweyrich – 2013-01-30T03:36:52.117

Answers

If you are using glibc you can use the undocumented use-vc option (see resolv/res_init.c in the glib source code) which forces the libc resolver to always use TCP.

Either set it globally in resolv.conf:

options use-vc nameserver 1.2.3.4

Or pass the option in the environment:

RES_OPTIONS=use-vc firefox

It will not work if the application implemented its own support for DNS without using the libc res_init/res_query/… functions. It's working with Firefox (probably as long as you are not using the "remote DNS" option in the SOCKS proxy settings).

ysdx

Posted 2012-09-16T19:27:47.180

Reputation: 181

Install Unbound, and just change "tcp-upstream: no" to "yes" in the unbound.conf config file.

# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no

And in order to resolver everything through an upstream resolver, add something like:

forward-zone:
    name: "."
    forward-addr: 213.154.224.3

You can also use dnssec-trigger, a convenient user interface for Unbound, that configures it to tunnel everything through an SSL connection.

Frank Denis

Posted 2012-09-16T19:27:47.180

Reputation: 71

Thank you. In the end I could get away by using opendns's 5353 port (using forward-addr: 208.67.222.222@5353), with udp, but your answer was what I was looking for :) – miniBill – 2012-09-25T17:56:53.953

One way to get round the ISP issue is to run your own, local, DNS server. This isn't especially difficult on Linux.

There is a previous, related question that covers some of the relevant points: What to do when an ISP intercepts NXDOMAIN requests? And another article here.

DNSsec (WikiPedia) should remove this problem in the long term. Also DNSCrypt from OpenDNS fixes the issue but only for Mac and Windows workstations.

There are a number of good articles on setting up your own DNS:

Julian Knight

Posted 2012-09-16T19:27:47.180

Reputation: 13 389

1But my local DNS server eventually needs to get out there and actually get the resolved name. Now, when that happens my ISP intercepts the request. The delegation-only trick doesn't work for me, or maybe I misconfigured named. – miniBill – 2012-09-16T20:50:05.733

1OpenDNS accepts queries on 5353. – LawrenceC – 2012-09-17T11:12:58.890

@ultrasawblade now that's interesting. Is there a way to directly use that or do I have to install a local dns server? – miniBill – 2012-09-25T17:32:48.100

1@ultrasawblade actually, using Unbound as Frank suggested, with the custom port, did the trick. Thanks. – miniBill – 2012-09-25T17:57:29.933

make Firefox use TCP for DNS?

You can't

Firefox doesn't make that decision, it just calls an operating system API like gethostbyname()

The operating system resolver hands that off to a DNS server.

You might think you could set up your own internal DNS server and configure that to only use TCP.

Here's a relevant post from someone who probably knows more about DNS than anyone else.

08-11-2008 03:20 AM

Re: Is it possible to force BIND to use TCP exclusively?

"Joe Baptista" writes:

Are there any configuration changes that can be made to BIND to force it to use TCP exclusively and never use UDP? Possible?

no.

--
Paul Vixie

Probably anyway

In theory you can find, write or modify a DNS forwarder that does what you want.

In theory you may be able to find or write a Firefox plugin that intercepts and replaces any calls to gethostbyname() with custom DNS client code - I've no idea if the Firefox plugin architecture makes this possible but it might be worth a look.

RedGrittyBrick

Posted 2012-09-16T19:27:47.180

Reputation: 70 632

I had the same problem. It turned out to have nothing to do with any setting in Firefox, any setting in the OS, or TCP vs. UDP. The problem is really in the router from your ISP. It's intercepting all "port 53" traffic and rerouting it to your ISP's DNS servers. The rerouting is done by rewriting both sent and received packets (similar to NAT) in such a way that you can't tell what happened (the address of the DNS server in the packets appears to be the one you intended, even though the packet really went to the ISP's own DNS server).

Access your router (often by web browsing to 192.168.1.1 and entering a name and password), find the place where it says DNS server, and change that address from your ISP's DNS server to the one you really want to use (OpenDNS? Google? ...?).

The router config will almost certainly make it appear that address is only used by the router itself. It probably won't say anything about intercepting or about your computer. Don't believe it. DNS interception by routers is intended to keep SOHO users from temporarily bypassing a filtered DNS to look at an illicit site, and as such is a big secret: so minimally documented it usually appears to not even exist.

Chuck Kollars

Posted 2012-09-16T19:27:47.180

Reputation: 31

Unfortunately my router is a "Vodafone Station", there is no DNS setting in here... You get an upvote anyway ^^ – miniBill – 2013-01-29T19:37:58.823

Arrggghhhh. Do I understand correctly your LAN connectivity is via a cellphone tether? If so, I don't know of any answer. So far as I know, use of any alternative DNS over a cell network is an unsolved problem and there aren't even any good hacks. The address of the DNS server is provided to the cellphone as part of the DHCP response from the ISP. Hacking it may be possible with some combination of a "rooted" phone and a "static" IP configuration ...but probably not. I've no experience with TCP DNS on a cell network, so don't know for certain that it wouldn't work...:-( – Chuck Kollars – 2013-01-30T02:30:37.267

The cellphone tether is there only as a fallback, normal connectivity comes via regular DSL so no, your observation doesn't apply :) – miniBill – 2013-02-02T19:22:41.113

Oops, I said "router" when for clarity I should have said "modem", because nowadays the two devices are generally combined. For an outboard router backed by a DSL modem, the setting will be in the DSL modem. (Another way to think of this is the setting will be in the part that has to be "approved" by your telephone company:-) – Chuck Kollars – 2013-04-08T21:51:06.433

Use dnscrypt+unbound. By default dnscrypt sends out dns queries to OpenDNS on 443/udp.

I haven't figured out a way to tunnel this dns service to other machines on my LAN though. No mothod works, not netcat, socat, or udptunnel.

user209837

Posted 2012-09-16T19:27:47.180

Reputation: 11

Use Google's public DNS servers. They are fast and reliable. Here are directions to use them on a variety of OSs.

Keltari

Posted 2012-09-16T19:27:47.180

Reputation: 57 019

1If I use dns over udp I get intercepted by my ISP. I'll edit the question to reflect that – miniBill – 2012-09-16T19:36:05.317

OOC, who is your ISP? – Keltari – 2012-09-16T19:38:59.047

It's Vodafone IT – miniBill – 2012-09-16T19:41:25.010

hm, not famililar with them. – Keltari – 2012-09-16T19:44:25.860

Vodafone are a UK mobile phone provider. – Julian Knight – 2012-09-29T08:55:08.373

@JulianKnight and an italian mobile and landline phone provider – miniBill – 2012-12-24T10:24:50.170

Try blocking outgoing UDP DNS requests using iptables:

iptables -A OUTPUT -p udp --dport 53 -j REJECT

The lookup should fail for UDP and then (hopefully) be retried using TCP.

Stefan Seidel

Posted 2012-09-16T19:27:47.180

Reputation: 8 812

If I do that the lookup simply fails, and firefox does not retry with TCP – miniBill – 2012-09-17T09:14:50.403

Per RFC 1035 DNS queries are normally UDP. Making queries work on TCP requires a resolver set to send queries that way and a DNS server set to receive queries that way.

– dafydd – 2013-01-29T19:35:44.100

Eventually, you can go the way many TPB users go and use TOR or a VPN service.

Stefan Seidel

Posted 2012-09-16T19:27:47.180

Reputation: 8 812

TPB was just a specific example. The question clearly states that I don't want to use a proxy [and TOR and a VPN qualify as proxies for this question]... – miniBill – 2012-09-25T17:34:33.560