How to Bypass DNS Pollution on Ubuntu 12.04 Using dnsmasq and OpenDNS

Operating system: Ubuntu 12.04 LTS. Software: dnsmasq.

DNS test shows that querying 8.8.8.8 returns IP 37.61.54.158, which is a polluted fake address for Facebook.

dig www.facebook.com @8.8.8.8 +short
37.61.54.158

Querying OpenDNS on port 443 returns the correct address 31.13.79.49.

dig www.facebook.com @208.67.222.222 -p 443
31.13.79.49

OpenDNS supports special ports (443, 5353) while Google DNS does not. Using dnsmasq we can direct queries for polluted domains to OpenDNS on a special port.

From Ubuntu 12.04 the NetworkManager enables dnsmasq by default but disables its cache for security, which may cause slower network speed. You can either disable dnsmasq completely or enable its local cache together with Google DNS.

To disable dnsmasq: sudo vim /etc/NetworkManager/NetworkManager.conf Comment out the line dns=dnsmasq and restart NetworkManager: sudo restart network-manager To install a full dnsmasq and configure it:

sudo apt-get install dnsmasq
sudo vi /etc/resolv.conf
# ensure it contains:
nameserver 127.0.0.1
sudo vi /etc/dnsmasq.conf
# add at the end:
listen-address=127.0.0.1   bind-interfaces
cache-size=100000  domain-needed
resolv-file=/etc/resolv.dnsmasq
server=/facebook.com/208.67.222.222#5353

The server=/facebook.com/208.67.222.222#5353 line forces DNS requests for facebook.com to be sent to OpenDNS on port 5353. The same syntax can be used for wildcard domains, e.g.: server=/com/208.67.222.222#5353 After editing, restart dnsmasq: sudo service dnsmasq restart Test again: dig www.facebook.com +short If the result is 31.13.79.49 or another legitimate address, the pollution has been bypassed.

Additional notes: dnsmasq’s runtime configuration is stored in /var/run/dnsmasq/resolv.conf, and its logs are in /var/log/syslog.

References: Ubuntu enabling dnsmasq cache with Google DNS; OpenWRT router unbound+dnsmasq solution for DNS pollution; issues with NetworkManager‑managed dnsmasq.