undefined | Better HN

0 pointsgwu7812y ago0 comments

All that means is that you're using their recursive DNS servers. They can configure these any way they choose. Stop using third party recursive DNS servers and you will not have problems with unwanted advertising and NXDOMAIN hijacking.

Run your own recurive DNS server (e.g. dnscache) on 127.0.0.1.

Alternatively, query authoritative servers directly. Use a port other than 53 if you really think your ISP is trying to filter your outgoing queries; I sincerely doubt they would bother.

192.5.6.30 is an authoritative .com server. Memorize that number.

dig +norecurse -b0.0.0.0#5353 news.ycombinator.com @192.5.6.30

The names on the right of the "NS" rows are the authoritative servers for ycombinator.com. (Cloudflare. No comment.)

192.5.6.30 has the IP addresses for those. You'll find them in the "ADDITIONAL SECTION". Let's say it lists 1.2.3.4 as an IP address.

dig +norecurse -b0.0.0.0#5353 news.ycombinator.com @1.2.3.4

And you should receive the IP address for news.ycombinator.com, or at least your next clue where to look (if the DNS admin has chosen to play games with CNAME).

This method can be automated.

Your ISP is not "intercept[ing] all DNS requests". You are sending your requests to your ISP's recursive DNS servers (why?), and those servers are feeding you whatever information the ISP chooses. Go figure, they are sending you bogus info to inject advertising. Solution: Stop sending your requests to your ISP's recursive DNS servers (or any third party recursive DNS servers). Send your requests to your own recursive DNS server running on 127.0.0.1, or send nonrecursive requests to authoritative DNS servers only.

0 comments

4 comments · 1 top-level

ars_technician12y ago· 3 in thread

Did you even read his comment?

"dig @www.facebook.com news.ycombinator.com" does not use the ISP's DNS servers at all. It sends a DNS query to Facebook for Google, which should normally fail. His ISP hijacks the request and provides a response. In this scenario, the advice in your comment is pointless because they will hijack requests whether they are directly to authoritative servers or if they are to recursive servers.

gwu78OP12y ago

Yes, I read his comment.

""dig @www.facebook.com news.ycombinator.com" does not use the ISP's DNS servers at all"

Incorrect. The program he's using, dig, has to look up the numbers for facebook.com's authoritative servers first. And what DNS servers do you think it uses to do that? The defaults he has set: his ISP's.

"It sends a DNS query to Facebook for Google."

Incorrect again.

The "advice" I provided is not pointless. I would not provide pointless suggestions.

3 more replies

gwu78OP12y ago

"What aren't you getting?"

I am glad you asked. I am not getting what it is you are trying to say. I also do not get why you keep mentioning Google.

"The query for Facebooks server may use the ISPs DNS server, but that's not the problem."

Why is that not the problem?

If you query the ISP's DNS servers, then the ISP can send you bogus answers. By giving you bogus answer they can redirect your HTTP requests, which enables them to insert ads, among other things. I presume you would want to avoid this. I gave examples how you could do that. One way is to run your own recursive DNS server on 127.0.0.1. Another is to only query the proper authoritative servers.

Shaw uses a "DNS Redirect service". Customers can opt out.

https://community.shaw.ca/docs/DOC-1218

Even if a customer does not disable this "service", I believe Shaw will not interfere with packets sent to remote DNS servers other than Shaw's.

In any event, the reason I commented on this was because (unless the customer has changed his defaults)

dig @www.facebook.com news.ycombinator.com

sends queries to Shaw's DNS servers. So stop doing this.

Unless the customer opts out, these queries are going to get redirected.

If you wanted to test your theory (that Shaw is redirecting every DNS packet sent by evey customer, even ones not using Shaw's DNS servers), then the above invocation of dig will not test this. It sends queries to the Shaw DNS servers. Stop doing that.

Why does it send queries to Shaw's DNS servers? From the dig(1) manpage:

"SIMPLE USAGE A typical invocation of dig looks like:

            dig @server name type

       where:

       server
           is the name or IP address of the name server to query. This can be
           an IPv4 address in dotted-decimal notation or an IPv6 address in
           colon-delimited notation. When the supplied server argument is a
           hostname, dig resolves that name before querying that name server.
           If no server argument is provided, dig consults /etc/resolv.conf
           and queries the name servers listed there. The reply from the name
           server that responds is displayed.

If for some reason you wanted to send a query for news.ycombinator.com to the IP address for www.facebook.com (without using any recursive DNS servers like Shaw's which could give you bogus answers), then

dig +norecurse @31.13.75.17 news.ycombinator.com

would be the appropriate way to do it, assuming you choose to use dig.

aendruk12y ago

Thanks for the explanation. Would you interpret these results as supporting evidence of my claim?

  $ dig +short chaos txt version.bind @31.13.75.17     
  "PowerDNS Recursor 3.5.3 $Id$"

This happens despite having opted out via the form you mentioned.

1 more reply

j / k navigate · click thread line to collapse

0 comments

4 comments · 1 top-level

ars_technician12y ago· 3 in thread

Did you even read his comment?

gwu78OP12y ago

Yes, I read his comment.

""dig @www.facebook.com news.ycombinator.com" does not use the ISP's DNS servers at all"

"It sends a DNS query to Facebook for Google."

Incorrect again.

The "advice" I provided is not pointless. I would not provide pointless suggestions.

3 more replies

gwu78OP12y ago

"What aren't you getting?"

I am glad you asked. I am not getting what it is you are trying to say. I also do not get why you keep mentioning Google.

"The query for Facebooks server may use the ISPs DNS server, but that's not the problem."

Why is that not the problem?

Shaw uses a "DNS Redirect service". Customers can opt out.

https://community.shaw.ca/docs/DOC-1218

Even if a customer does not disable this "service", I believe Shaw will not interfere with packets sent to remote DNS servers other than Shaw's.

In any event, the reason I commented on this was because (unless the customer has changed his defaults)

dig @www.facebook.com news.ycombinator.com

sends queries to Shaw's DNS servers. So stop doing this.

Unless the customer opts out, these queries are going to get redirected.

Why does it send queries to Shaw's DNS servers? From the dig(1) manpage:

"SIMPLE USAGE A typical invocation of dig looks like:

            dig @server name type

       where:

       server
           is the name or IP address of the name server to query. This can be
           an IPv4 address in dotted-decimal notation or an IPv6 address in
           colon-delimited notation. When the supplied server argument is a
           hostname, dig resolves that name before querying that name server.
           If no server argument is provided, dig consults /etc/resolv.conf
           and queries the name servers listed there. The reply from the name
           server that responds is displayed.

dig +norecurse @31.13.75.17 news.ycombinator.com

would be the appropriate way to do it, assuming you choose to use dig.

aendruk12y ago

Thanks for the explanation. Would you interpret these results as supporting evidence of my claim?

  $ dig +short chaos txt version.bind @31.13.75.17     
  "PowerDNS Recursor 3.5.3 $Id$"

This happens despite having opted out via the form you mentioned.

1 more reply

j / k navigate · click thread line to collapse