RSAWEB blocking filtered DNS

[quaking724]

It seems RSAWEB is blocking the use of any kind of filtered DNS
resolver across their network.

I've done a search for this and didn't find anything. I thought this
might be one of the better places to raise this.

This stumped me for a bit and I went down a rabbit hole with some
comparative testing across providers. Many resolvers don't function
at all, while RSAWEB routes any that might another layer, in which
performance suffers - they certainly aren't allowing any local exits
from the same providers with that.

Does anyone know more about this or experienced the same on RSAWEB or
elsewhere?

It's enough to have me switch.

 

[Anthro]

Could you describe your testing done to arrive at this conclusion?

 

[Mzezman]

It seems RSAWEB is blocking the use of any kind of filtered DNS
resolver across their network.

I've done a search for this and didn't find anything. I thought this
might be one of the better places to raise this.

This stumped me for a bit and I went down a rabbit hole with some
comparative testing across providers. Many resolvers don't function
at all, while RSAWEB routes any that might another layer, in which
performance suffers - they certainly aren't allowing any local exits
from the same providers with that.

Does anyone know more about this or experienced the same on RSAWEB or
elsewhere?

It's enough to have me switch.

Would be good to understand the testing process and also to see which ones DID work

 

[quaking724]

I've been hesitant to provide too much detail. I don't want to be
tracked at that level on this. I'm not too sure it's ISP wide.

Basically, I was trying to configure network wide DNS filtering which
has consistently failed on their network.

For a simple test try:

nslookup mybroadband.co.za 94.140.14.14

That is to one of AdGuard's plain, filtered public DNS resolvers, one
of the more popular providers in the space. It's inaccessible on
RSAWEB. DNSSEC results are odd too.

 

[Anthro]

What does your result say, if anything ?
I utilize Adguard paid services at home and previously used NextDNS and Control-D
My lookups are via DOH (DNS over HTTPS) and at the very least DOT (DNS over TLS) on port 853 if memory serves.
I hardly use 53 - it is blocked and redirected on my local firewalls indiscriminately.

 

[quaking724]

My result with the above is '...no servers could be reached'.

I don't use port 53 either, that's just the most basic test.

DNSSEC works for me, but local exits on those providers are blocked,
I'm rerouted and my response times go awry, upwards of 500ms as a
result.

This doesn't happen when I'm not on RSAWEB.

Are you on RSAWEB? Are your DNS responses local?

<https://dnscheck.tools>

 

[Anthro]

What hardware is between you and the Internet ?
I know RSAWEB provides this little stupid Mikrotik to their clients.
To answer you on if I am on RSAWEB currently, no - not as my primary connection.
But I have set up filtered DNS, both encrypted as well as plain port 53 with no issue for friends on RSAWEB.
You should test the behavior of doing a nslookup to 1.1.1.1 and even 1.1.1.2 and 1.1.1.3 for that matter as it's CloudFlare filtered DNS.

 

[quaking724]

There's a standard router on the line, which works totally fine with
other ISPs.

It's a mix on Cloudflare:
1.1.1.1 is blocked.

The secondary works and their security resolvers work.

I am trying for a bit more filtering than that, which is why AdGuard
is a good base.

Again, where this does work on RSAWEB, they seem to be blocking any
local resolvers on that.
Traffic is then rerouted to another hemisphere and DNS response times
suffer.

Ordinarily, one wouldn't even notice this, it's weird how latent the
internet is here if you're familiar with what that's like being
closer to hosts that are usually in other countries. DNS is just one
part of that.

That's why I was checking if you're sure your DNS responses are
local. You can see this on <https://dnscheck.tools>.
<https://ipleak.net> will also provide geographical information, both
in your browser.

Do those show local DNS server addresses for you, on your primary
connection and then on RSAWEB?

 

[Anthro]

I get local anycast servers yes, based in JHB
I am situated in CT
Have you tried DOH and DOT ?

 

[quaking724]

DNSSEC works, seemingly. AdGuard is a tiny bit slow in general
though. I try others and then it gets strange.

I also get a privacy warning on my phone with this, "This network is
blocking encrypted DNS traffic."

I doubt it's specifically the account I'm on, it's been like this
from the moment I connected without any prior usage on RSAWEB and
with no history on there at all.

I feel like I'm in crazy town with all this, it's not at all
consistent where I would doubt my clients and certainly not all of
them, all at once under these same entirely reproducible conditions.

 

[Anthro]

Are you using an iPhone...

DNSSEC works, seemingly. AdGuard is a tiny bit slow in general
though. I try others and then it gets strange.

I also get a privacy warning on my phone with this, "This network is
blocking encrypted DNS traffic."

I doubt it's specifically the account I'm on, it's been like this
from the moment I connected without any prior usage on RSAWEB and
with no history on there at all.

I feel like I'm in crazy town with all this, it's not at all
consistent where I would doubt my clients and certainly not all of
them, all at once under these same entirely reproducible conditions.

Im interested in buying the Xiaomi S10+ cleaner with the next price drop on Takealot.
Any reasons not to? Or something with LIDAR or similar for cheaper?

 

[r00igev@@r]

If you have the time and effort move your Adguard to a VPS.

 

[quaking724]

Are you using an iPhone...

Yes, mostly. I get the warning regardless of iCloud Private Relay
though and again, this issue is across devices, mobile, desktop
and other.

I contacted the resolver in the interim, I passed them all the stats
and output they wanted, they didn't want to allocate any fault just
yet RE: the ISP, they said I'm on the right track with that though.

If you have the time and effort move your Adguard to a VPS.

It's actually not AdGuard I'm trying this for in particular,
interestingly, Cloudflare primary and AdGuard plain is blocked
outright though (any comment on this?).

The resolver I want to use is rerouted instead of using the local
exits, while still functional, the performance is terrible on RSAWEB,
while this works exactly as intended on other networks.

 

[r00igev@@r]

It's actually not AdGuard I'm trying this for in particular,
interestingly, Cloudflare primary and AdGuard plain is blocked
outright though (any comment on this?).

I have often seen local ISPs mess with 53 in a futile attempt at DDOS mitigation. I suspect this would be the case here, or some config that was applied and never removed. Ask RSAWEB for an IP in another range.

 

[quaking724]

This is somewhat working again, the routing is still off on some
others. Cloudflare and AdGuard (slow though) is now up.