Skip Navigation

Tips for asking ISP to allow for using my own DNS setup for self-hosted VPN?

Hello, friends.

So I've had my Pi-Hole setup for awhile now and it's great. I'd like to get Wireguard working with it, too, so I could browse the internet without loads of ads and trackers on the go.

However, small issue. All DNS traffic is forcibly routed to my ISP. If you need some details, I made this post on the Pi-Hole userspace.

I'm in America and my ISP is Spectrum. I was wondering if there's a way I could convince technical support to allow me to use a recursive DNS for privacy/security (more-so the second of the two) purposes, or if it is even possible to convince them to do this. I don't know if there's a specific number I should contact, email I should email to, or if I just have to endure the nightmare of getting passed around by customer service one Saturday. Any recommendations would be great.

An interesting note for anyone who's ISP is Spectrum, their DNS service, at least for me, uses OpenDNS with dnsmasq-2.57. That version of dnsmasq is over 10 years old. You see if this is the case for you with

 undefined
    
dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

  

Or something similar if those IP addresses are different for you. You can see that running those commands were a part of the steps I was asked to take in that Pi-Hole userspace post.

EDIT 1:

For those interested, here's some Github gist I found that shows how to use unbound + stubby for have a recursive DNS + DNS-over-HTTPS. There's also this from the DNS Privacy Project.

EDIT 2:

I seems that initial answer from the Pi-Hole forums was correct. There's probably something that was set in the firmware for the Netgear router that prevents me from setting up my own DNS servers. However, I notice on the router there's a "router mode" option that's on, which I can probably turn off, plug in my Pi to the Netgear device and have the Pi act as my router, thus letting me be able to use it as my DNS server as well. That or just suck it up and buy only a modem, not a router + modem combo.

53 comments
  • I've never heard of spectrum doing this. I think it's an issue with your router. The steps you mentioned sound right, but I'm not seeing what you're seeing. I usually try to look at the advanced mode, which might have more info.

    You could contact Netgear tech support, or consult their manual. Have you made sure you're on the latest firmware?

  • Oh, your ISP is very shitty, just like mine! Mine even do deep packet inspection! My solution is by using several upstream DNS servers that listen on alternate ports (so the requests are not intercepted by my ISP), and using TLS and QUIC (can't intercept it because it's encrypted). Can't use DoH though because my ISP somehow can make it timeouts most of the time.

    My Adguard upstream DNS settings (Adguard is configured to try all of them at once and use the one that respond first):

    tls://1.1.1.1

    tls://1.0.0.1

    tls://8.8.8.8

    tls://8.8.4.4

    tcp://9.9.9.9:9953

    udp://9.9.9.9:9953

    quic://unfiltered.adguard-dns.com

  • Can you force all DNS via TRR (aka DNS-over-HTTPS)?

    I don't know what Pi-Hole is capable of but that's possible on open source routers like OpenWrt.

  • You would have to implement DNS over TLS. To do this, it's probably easiest to use Unbound and a service like Cloudflare or OpenDNS upstream. Spectrum probably hopes to harvest your DNS traffic and monetize it or maybe they're doing some preemptive sanitizing of your requests to prevent you from going to a bad site. Regardless, I am anti DNS highjacking. It's wrong on many points.

53 comments