My ISP found a way to workaround 1.1.1.1 and enforce their own DNS

Hello, this has been a thing since a year, no matter if I set 1.1.1.1 on a computer or as default dns address, my traffic is still goes over the ISP DNS address, can’t reach blocked websites or use 1.1.1.1 at all. Something interesting to add is if I use the Android 1.1.1.1 app on phone, it just works fine and connects to 1.1.1.1 properly on the same ISP network

I’m don’t know how they managed to achieve this but is there anything I can do? Thank you.

Sometimes it says Connected to 1.1.1.1: Yes and other times not.

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJJU1QiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

as default dns address on the Router settings.

It’s not that hard to “work around” 1.1.1.1. ISPs can block or intercept any IP address traffic. Most of the time, they totally bungle it up so it’s unusable because they think 1.1.1.1 is some sort of test address.

Have you tried 1.0.0.1?

Hello and thank you for the reply, I use both 1.1.1.1 and 1.0.0.1 in the router and swap them in the list. There is a button there I think it’s for ignoring the ISP DNS but ticking it on/off does nothing.

With 1.0.0.1 as primary, traffic is still going over the ISP assigned DNS on hop 5 (reddit) like in tracert picture. There were some regulations in the country last year and before that this company was pretty new and was actually using 1.1.1.1 as their DNS resolver and it was super responsive (good times!) but later they probably figured out they are bound by laws and since it’s not their own creation and stopped using it. Now they are using the biggest provider’s DNS as theirs. Routing traffic to there.

Is there a way I can do something about this or I have to accept it? (sad)

There is a very big difference between the plain old DNS, and encrypted DNS as used in the 1.1.1.1 app.

Anybody who controls the underlying network can intercept unencrypted DNS, and redirect the requests to a DNS server they control. Unencrypted DNS is what you are normally configuring on your router or device. If they have done their job correctly, your ISP will be intercepting all unencrypted DNS traffic, so changing from 1.1.1.1 to something else might make no difference.

You can configure your OS to use Encrypted DNS. (Depending on what you are running this may be easy, or not). Some documentation is available here:

https://developers.cloudflare.com/1.1.1.1/encrypted-dns

3 Likes

Thank you for replying. I will surely have a look, I used to test and deploy some DNS before with WireGuard, including setting up Warp there but I don’t have excess knowledge in the field, I will try and see if it works, thank you again :slight_smile:

I don’t see the edit button for my comments but I just wanted to say that if it’s a similar experience to setting up WireGuard, I will try to make it possible. Thank you all again. I think this encrpyted DNS is the answer in how they are bypassing the user set DNS.

Just a quick question that I have Opera browser and it seems to have built in setting for DNS over HTTPS and Cloudflare is included as option, I think this sounds encrypted as you say and according to the documentation.

When I check 1.1.1.1/help this time it says Using DNS over HTTPS (DoH): Yes but webpages are still not accessible that are blocked by default DNS. I think these guys in ISP know what they are doing somehow. However, even if this works, it won’t do any good for me bcs I’m looking for a general use fast DNS as I use internet alot during a day and 1.1.1.1 was just amazing at responsiveness. Also it felt secure to use Cloudflare too. I have a feeling these encrpyted versions will slow down things and pings.

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiSVNUIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

I think the jury is still out, and there are some heated discussions going on in various Internet governance forums. For most purposes, you will not notice a performance difference.

If you are using DOH in your browser, it will only work in that browser. So ping etc. on the command line will still use the DNS settings from your OS.

Better I stay off of that ongoing discussion then, I didn’t know. Thank you for all your replies and I hope for a better internet environment in the years to come, every year they update regulations to limit users more and more. I mean we were all free to use whichever the DNS we want until last year or something. Well, thanks again.

I will definitely try to find a way to setup a DNS that’s for one computer or entire home network and see if it will do any good. But it’s not gonna be easy and I have to search a lot.

Just a note that in that Opera browser with Cloudflare DoH is on, some of the blocked websites are not still loading up, I don’t know how they intercept the encrpyted connection. Bcs when I enable Opera’s own and built in VPN everything works flawlessly.

You can set up local DNS with a PiHole that connects to Cloudflare’s DoH:
https://docs.pi-hole.net/guides/dns/cloudflared/

Still, though, an ISP can block the IP address of any website it chooses. The only way around that would be a VPN. It might just be easier to install WARP on any devices that matter.

1 Like

I do this with my router/firewall. Luckily my ISP doesn’t block anything, but with a validated certificate it would be impossible to at least make it seem like it’s working but it gets intercepted.

A local Pi-Hole (or even just a cloudflared instance internal to the network) could be good.

2 Likes

check your router config, dns settings are normally in there! set that setting to 1.1.1.1 secondary to another cf dns

I’ve had this issue with my previous ISP. Changing the DNS settings at router level does not take effect. It still routes through DNS servers chosen by the ISP. I had to make pihole be the DHCP server so that pihole can be used as DNS, and cloudflare as upstream through pihole.

1 Like

Thank you everybody for your valuable replies. I would like to try out Pi-Hole solution, honestly I’ve been thinking about it for a while to get rid of ads on all network devices and maybe I could combine it with Cloudflare at the same time however I need to have the hardware first and they are not common to be sold here. I will treat this as a future project.

At core, I just wanted to use 1.1.1.1 as my default DNS bcs I trust this company and it felt really smooth experience to browse Internet and I wanted that back. Setting it on router or computer level does not help at all thanks to ISP intercepting.

A note I shall add that even if I turn on DoH on Opera Browser and confirmed it’s connected to Cloudflare, I have a strong feeling that my ISP still trying to drop connection bcs when I try to open up a web page I get Error_Connection_Reset or Page not Found errors, If I refresh couple of times then page loads up fine. After some idle time, same thing happens for any other website.

This is my final reply so I thank you all for your concerns and valuable insight about the matter.

This post was flagged by the community and is temporarily hidden.