Why can't I use custom dns server addresses in a network?

I always used to set DNS servers to the Google's 8.8.8.8 and 8.8.4.4 right after I log in to any network. However recently I found out I wouldn't get access to any site unless I set at my OS configuration to get default DNS server address connected to my campus network.

Is there any reason why a network configuration or network device make it impossible to a connected node to work normally with a custom dns server address? If so, how could I trick it?

diegoaguilar

Posted 2014-02-26T06:35:34.380

Reputation: 204

Try with your ISP DNS as prefered & use 8.8.8.8 as secondary. – None – 2014-02-26T06:37:31.320

Yes, I agree, but I want to know what are the technical reasons why I couldn't use any custom dns server address in that network – diegoaguilar – 2014-02-26T06:42:20.347

If u use custom DNS its not resolve your domain name,for eg, check with nslookup command in cmd.if u set DNS as automatically it resolve ur domainame automatically with ur ISP DNS. – None – 2014-02-26T06:51:00.440

I understand that, but Why would same custom dns work in my home network and not in the one I had the problem? – diegoaguilar – 2014-02-26T06:54:20.000

Answers

Many organizations restrict direct access to external DNS servers by blocking DNS requests and replies at the firewall (i.e. they block UDP port 53). This is a common security practice to protect you from attacks. One such attack is a DNS spoofing attack, where an attacker will redirect your DNS queries to an "evil" name server. When you browse to www.mybank.com, the evil nameserver will return the address of a fake bank site, where they can fool you into revealing your login credentials.

The organization only allows its DNS server to make external queries, because presumably, it is better protected than your PC.

There is usually no way around the blocked port, and even if there were, its not my practice to subvert security policies. I'd be curious why you find the need to use a different DNS server than the one handed out via DHCP.

Ron Trunk

Posted 2014-02-26T06:35:34.380

Reputation: 491

I'm satisfied about your answer. Reason what I usually go for Google's dns is because the ISP's is actually failing very often. Is going for such dns servers a good practice in your opinion? – diegoaguilar – 2014-02-26T07:31:29.440

Probably your campus network is filtering that DNS server. Or most probably is filtering any DNS except their ones. You can try this for example by using a tool to directly query a DNS (for example "nslookup - 8.8.8.8") and try with various DNS servers if it applies to them all.

The reason behind this is a control: by passing over their DNS they can filter out some name resolutions (ie. many countries use DNS filtering for some P2P sites such as TPB or Youtube and don't resolve it or resolve it to some IP they feel like) and of course logging (all the queries can be very easily logged to see what each PC in the campus network is trying to browse). Big brother in action!

If one wants to be less negative then you can see this also as a bandwidth optimization: since using their DNS and if their DNS is efficently doing caching this may prevent many requests going outside from the network.

If the DNS queries (ie. packets to tcp/udp ports 53 and so on) are filtered in your network then there is nothing (easy) you can do with it really.

fede.evol

Posted 2014-02-26T06:35:34.380

Reputation: 1 718

This answer is a good one, and the topic of DNS Interception is becoming increasingly important. There are several methods of doing this that are more complicated in practice, but this answer is solid because it is correct in terms of answering the question the OP asked in the context he asked it, and while there are other means, DNS filtering appears to be what's going on here, as interception would simply re-route the traffic. – George Spiceland – 2014-02-26T07:07:03.587

Most organizations don't want DNS traffic leaving the boundary or area of control so they can enforce policy on people within their organization. Local DNS servers have the capability to block certain domains or site classifications.

If so, how could I trick it?

In my organization, the most common trick people use to get around security policy is DNSCrypt, which uses HTTPS for DNS requests; making inspection nearly impossible. I use this technique at home, as well, so my ISP can't block any sites I go to.

Evading corporate policy probably isn't ethical, so I would highly advise against it.

Ryan Foley

Posted 2014-02-26T06:35:34.380

Reputation: 403