Automatic DNS Swapping in Linux

DNS filtering is a basic method of censorship and access control, in which an internet user's web browsing is filtered according to a blacklist held by the internet service provider. DNS filtering causes censored websites to seemingly disappear - the user can't load affected sites because the site's IP address information is blocked. DNS poisoning is the deliberate rerouting of a person's browsing, via DNS, to enable surveillance, misinformation, or outight hacking of the user's computer on a fake website. These risks can be eliminated by using trustworthy DNS servers. Even when using a VPN to encrypt a connection, the DNS queries can be monitored - so it is always important to use DNS servers that are unfiltered and free of tampering by criminals or unfriendly governments.

There are other reasons one may prefer to use DNS servers other than the ones provided by the local internet service provider. Google DNS and OpenDNS both offer DNS lookup services that are faster and more trustworthy than what is standard with most internet service providers. Also refer to our DNS server list for more options in replacing your untrustworthy ISP or government operated DNS servers. With regard to VPN usage, a good system configuration would use secure DNS servers while the encrypted tunnel is in use, then switch back to a high quality non-encrypted DNS server when the VPN session terminates. Then the user enjoys faster browsing and security, dynamically tailored to his or her needs.

On a Linux system, DNS servers are specified in the file /etc/resolv.conf. In a simple configuration, the IP addresses can be written there and the system will use them, as seen in the example below:

# OpenDNS and Google DNS servers
# If you have better ones feel free to use them!!
nameserver 208.67.222.222
nameserver 8.8.8.8

Google DNS was blocked in by censorship punks in China, starting in June 2014, for political reasons. Turkey banned Google DNS during unrest in late 2013. To thwart such blockages and keep a fast DNS service, OpenNIC is a good alternative, with servers all over the world. Computer systems in Asia would run well using these servers (located in Japan and Singapore):

# OpenNIC servers
# If you have better ones feel free to use them!!
nameserver 106.186.17.181
nameserver 128.199.248.105

In a more complex networking configuration, /etc/resolv.conf will be written to by other applications. It is common for the system's DHCP software to write in DNS servers contained in one line in the file /etc/dhclient.conf. Then the proper way to set the DNS servers is to edit /etc/dhclient.conf and add the following lines:

#Specify Google DNS servers as default configuration:
supersede domain-name-servers 8.8.8.8, 8.8.4.4;

Or, for OpenNIC DNS:

#Specify OpenNIC DNS servers as default configuration:
supersede domain-name-servers 106.186.17.181,128.199.248.105;

Customizing DNS settings when using Network Manager

Network Manager is a well known tough to tame application package that can write undesirable settings to resolv.conf. Network Manager contains hard-coded instructions to overwrite the computer's DNS settings. When Network Manager makes a network connection, it will initially use the default DNS server address taken from your ISP - usually 192.168.1.1. Here is a situation in which brute force is appropriate to prevent an overwrite: setting the "immutable bit" for the file. With the immutable bit set, the file cannot be overwritten even by any of the other processes controlling networking:

# chattr +i /etc/resolv.conf

Editing the file will require reversing the immutable bit for /etc/resolv.conf as shown in the following command:

# chattr -i /etc/resolv.conf

On some systems, resetting the immutable bit still does not prevent Network Manager from overwriting /etc/resolv.conf. The script below can be used to simply replace resolv.conf with your own customized version AFTER Network Manager has dynamically created its non-optimal version.

First, create a file called /etc/resolv.conf.custom which contains your preferred DNS server addresses:

# Google DNS servers.
# If you have better ones feel free to use them!!
nameserver 8.8.8.8
nameserver 8.8.4.4

Next, put a bash script like the one below into /etc/networkmanager/dispatcher.d/ and make it executable.

#!/bin/bash

# overwrite Network Manager's auto-generated resolv.conf file
cp -f /etc/resolv.conf.custom /etc/resolv.conf

Swapping DNS Servers - Systems With VPNC / KVPNC

Described below is a method of swapping DNS servers in Linux, using the popular VPNC graphical user interface. For the KDE desktop, the GUI is called "KVPNC" and has the same functions. This method assumes the user has Openvpn installed, and uses one of the many Openvpn compatible VPN services (Witopia, Ultravpn, etc). Two lists of DNS servers will be used, one for open web surfing and the other for encrypted VPN sessions. VPNC is an excellent GUI because it has the ability to carry out pre and post VPN connection commands. Otherwise, the swapping would have to be executed using scripts. Scripting this operation is not difficult, but it is beyond the scope of this article.

Note: This swapping method assumes the DNS servers actually used by your Linux system are contained in the file "/etc/resolv.conf" ... If the list of live DNS nameservers are elsewhere, amend the instructions and write the new DNS entries there.

Here are the steps required to implement DNS swapping for Witopia VPN within VPNC / KVPNC:

  1. Using a text editor, create a file called "dnslist" with the following data (secure dns servers):
# Witopia secure dns servers
# If you have better ones feel free to use them!!
nameserver 38.119.98.220
nameserver 203.131.247.198
  1. Place the file "dnslist" into your openvpn folder as /etc/openvpn/dnslist.
  2. Find the file containing your normal, in the clear, dns servers: /etc/resolvconf/resolv.conf.d/base.
  3. Edit the list of normal DNS servers to contain the superior Google and OpenDNS servers given below:
# OpenDNS and Google DNS servers
# If you have better ones feel free to use them!!
nameserver 208.67.222.222
nameserver 8.8.8.8
  1. Open VPNC, and in the "command execution" settings, set up the before-connection command:
cp /etc/openvpn/dnslist /etc/resolv.conf
  1. In the "command execution" settings, set up the after-disconnection command:
cp /etc/resolvconf/resolv.conf.d/base /etc/resolv.conf
  1. Close the VPNC settings menu.

DNS server swapping should occur for your VPN sessions. To verify the DNS servers are actually being swapped, check while in and out of your VPN with the following (on the command line):

$ cat /etc/resolv.conf

How About Rotating Among Dozens of DNS Nameservers? Sure!

For a much more sophisticated means of switching DNS servers, consider using the script below, which will randomly pick two nameservers from a list and write them to /etc/resolv.conf or /etc/resolvconf/resolv.conf.d/base, as appropriate for your particular networking setup. This tecnique requires the script to run at least once in a computing session, but may be run at regular intervals via a cron job. An easy way to use this script is to place it in /etc/network/if-up.d/ so that it runs automatically when bringing up a network interface. If Network Manager is installed on the computer, the script can be run automatically if placed in the firectory /etc/networkmanager/dispatcher.d/. Want to switch more often? Set up a cron job to run the script every 15 minutes...

#!/bin/bash
# script "randomdns"  -- run at least once per computing 
# session or when bringing up network interfaces

# uncomment to randomly select dns servers and write to /etc/resolv.conf 
shuf /etc/dnslist | head -n 1 > /etc/resolv.conf
shuf /etc/dnslist | head -n 1 >> /etc/resolv.conf

# uncomment to randomly select dns servers and write to /etc/resolvconf/resolv.conf.d/base
#shuf /etc/dnslist | head -n 1 > /etc/resolvconf/resolv.conf.d/base
#shuf /etc/dnslist | head -n 1 >> /etc/resolvconf/resolv.conf.d/base

The randomdns script requires the list of nameservers to be in the same syntax as found in resolv.conf, and the list can be placed anywhere. For simplicity, the example shows the list saved as /etc/dnslist. Considering the number of open and well maintained dns servers in the world, it is possible to dynamically switch between dozens of the best ones and avoid any sort of censorship, surveillance, or other hostile activity. It is prudent to periodically review which dns servers are on the list and prune out any that are not workimg or found to be not trustworthy. There are plenty of good public DNS servers available, so the list can be made quite long. Here is a small sample dns list - and note that there must be no comments or blank lines in the file - it contains ONLY DNS SERVERS IN PROPER SYNTAX:

nameserver 216.93.191.228
nameserver 38.119.98.220
nameserver 203.131.247.198
nameserver 91.216.105.75
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 69.164.208.50
nameserver 69.164.211.225
nameserver 206.124.64.1
nameserver 66.93.87.2
nameserver 64.81.111.2
nameserver 204.97.212.10
nameserver 204.117.214.10
nameserver 216.231.41.2
nameserver 156.154.71.1
nameserver 156.154.70.1
nameserver 66.93.87.2
nameserver 216.231.41.2
nameserver 178.63.26.173
nameserver 217.79.186.148
nameserver 64.102.255.44
nameserver 128.107.241.185
nameserver 27.110.120.30
nameserver 88.198.249.114
nameserver 217.6.34.47
nameserver 89.16.173.11
nameserver 66.90.81.200
nameserver 192.121.86.100
nameserver 198.153.192.1
nameserver 198.153.194.1

Encrypting DNS Traffic

Switching between DNS servers is one way to get free of the restrictions imposed by an internet service provider. Beating the access controls and surveillance of sophisticated adversaries requires fully encrypting the DNS traffic. A bleeding edge application called DNSCrypt uses strong encryption to thwart attempts to read or tamper with this essential component of internet access. See this excelebt tutorial for installing and using DNScrypt.

Everyone should be able to communicate on the internet with speed, freedom of access, and without fear physical or other harm. The technique of DNS server swapping given above enhances security and provides flexibility in accomplishing domain name look-ups. Combined with a trusted VPN service, secure communication on the internet is possible despite any sorts of restrictions imposed by authoritarian governments, corporations, clans, or committees.



Tags: dns, secure dns, dns rotation, google dns, opendns, openic


©2005 - 2014 AB9IL, All Rights Reserved.
About, Contact Us, Links, Privacy, XML Sitemap, and HTML Sitemap.

Content found here may not be copied, re-published, or reproduced without explicit permission.