Evading DNS interception

  • Thread starter Thread starter royalroy
  • Start date Start date
  • Replies Replies 64
  • Views Views 10,131
R

royalroy

Messages
531
Location
Mumbai
ISP
Alliance BB (AS23860); Wnet (AS55862)
I raised a ticket with Alliance broadband for stopping their DNS interception. Alliance forces you to use their own DNS and only allows 8.8.8.8 in addition. So, you cannot use opendns or 1.1.1.1. The technician, who called me was clueless. He told this shouldn't happen. After I showed him on anydesk that this is indeed happening. After that, he told me that you have to use ISP DNS on any network otherwise the internet won't work. I told him that this is ridiculous, BSNL, Airtel, Vodafone allow you to use any DNS. I shared with him the IP address (obviously the local IP) and MAC of the device on their network intercepting my UDP query on port 53 and made him understand that this is not normal and you need to specially configure your network for doing that. Finally, he relented and asked me to send him IP of DNS and they will allow my queries. I asked him to put 0.0.0.0 there so that it allows all DNS IPs. He said it doesn't work that way!!!

So, if I ask him to allow 1.1.1.1, will it allow me to reach Cloudflare servers or do I need to share the specific Mumbai server IPs?

I think 1.1.1.1 should suffice as the translation from 1.1.1.1 happens on Cloudflare's end. I know DoH or DoT should help but not all devices support them yet. I thought of running a 'cloudflared' service as a proxy on my local rpi and configure my pihole to forward my network-wide DNS queries to that proxy. But I could not install it on my rpi, there seems to be an issue with arm devices. Please help if someone has.
 
.
 
Last edited:
use doh or dns on tls the encryption is so dirty that isp won'nt be able to identify,same is with excitel i use 1.1.1.1 family using dns over tls on android devices and on windows chrome had feauture of dns over http
 
I think its to assist with peering. My secondary ISP does this. Easiest solution is to use Encrypted DNS as suggested.

You can check DNS Hijack using dnstraceroute:

github.com

GitHub - farrokhi/dnsdiag: DNS Measurement, Troubleshooting and Security Auditing Toolset

DNS Measurement, Troubleshooting and Security Auditing Toolset - farrokhi/dnsdiag
github.com github.com

labs.ripe.net

Is Your ISP Hijacking Your DNS Traffic?

You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.
labs.ripe.net labs.ripe.net
 
@pranavDude, I know I have the option in android. What about windows updates? Only firefox, chrome and edge support doh as of now. But not windows natively. They have added in insider version but not in final build releases.
 

@royalroy it supports both DoT and DoH natively.

Capture.png
 
JB701 said:
I think its to assist with peering. My secondary ISP does this. Easiest solution is to use Encrypted DNS as suggested.

You can check DNS Hijack using dnstraceroute:

github.com

GitHub - farrokhi/dnsdiag: DNS Measurement, Troubleshooting and Security Auditing Toolset

DNS Measurement, Troubleshooting and Security Auditing Toolset - farrokhi/dnsdiag
github.com github.com

labs.ripe.net

Is Your ISP Hijacking Your DNS Traffic?

You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.
labs.ripe.net labs.ripe.net
Click to expand...
Exactly!!! I too used alliance and it was actually hijacking cloudflare's dns, so @Anurag Bhatia explained me the reason for the same. It's called edns client subnet. It basically assists peering and would resolve to get the nearest node rather than cloudflare's dns which would resolve to a different node most probably mumbai that is probably far from you. Also this helps to keep peering servers away from their transit links.
 
I think it's another technique for browsing history management. It's a silly method anyway. Maybe the software they use is responsible for this. Alliance uses a billing/ traffic management system named IPACCT. I think excitel also uses it. I have seen excitel portal screenshots and they seem similar. What about other ISPs who intercept DNS?
 

Top