(ITU-POLE Project/Flickr)

Is your ISP hijacking your DNS traffic?

Babak Farrokhi
Apr 12, 2016 · 2 min read

The answer to above question used to be difficult. You had to be an expert to find out the answer. In fact, most people don’t even care.

Playing with dnstraceroute tool (see on GitHub), I noticed it is a common practice for service providers to hijack and redirect DNS traffic to their local DNS servers. So If you thought you are using Google’s Public DNS Server or Verisign’s, you may want to think twice.

Following is a couple of examples, going through my favorite VPN Tunnel service provider:

% ./dnstraceroute.py -q -s 8.8.8.8 yahoo.com
1 google-public-dns-a.google.com (8.8.8.8) 159 ms
% ./dnstraceroute.py -q -s 4.2.2.1 yahoo.com
1 a.resolvers.level3.net (4.2.2.1) 127 ms

I am obviously not one-hop away from all DNS servers in the world.

So I thought maybe they have a list of well-known public DNS servers and doing a routing trick based on destination IP addresses.

Then I tried tracing to various random IP addresses (not DNS servers), but the results were the same, which is really interesting. The next idea was that they are basically redirecting all UDP/53 traffic. So I changed the port number to test this hypothesis:

% ./dnstraceroute.py -q -p 55 -s 4.2.2.1 yahoo.com
1 a.resolvers.level3.net (4.2.2.1) 133 ms

Wow! The trick is even more sophisticated than a simple IP address or port based policy. In fact, every DNS request, aside from the destination IP address or port number is redirected. So there should be a Layer 7 inspection or DPI in place, which is a clever (and scary) idea.

This is perhaps done to filter out suspicious DNS requests.

You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons. But if they are inspecting my DNS traffic up to layer 7, they can also see everything else, unless it is encrypted.

If you are really concerned about your DNS traffic being intercepted (you should be) or want to decouple your DNS traffic from Web traffic, I highly recommend using DNSCrypt with your trusted DNS resolver.

That is perhaps a simple Unbound DNS resolver which you installed and secured on a virtual server somewhere over the internet. Public DNSCrypt servers? That’s another mistake you better not make. If you insist on using a public DNS server, you may want to use DNSDiag tools to see how much you can trust your ISP.

Decentralize.Today

Your Daily Dose of Decentralization

Decentralize.Today

Your Daily Dose of Decentralization

Babak Farrokhi

Written by

Senior Site Reliability Engineer — Notes on UNIX, Networking, Scalability and Security

Decentralize.Today

Your Daily Dose of Decentralization