Re: DNS hijacking (was Re: Is this an intrusion?)
On 2017-06-19, Rui Ribeirowrote: > Depending on how "evil" the ISP is, or how you want to obfuscate your > metadata, you might want to have a look at dnscrypt > https://blog.ipredator.se/openbsd-dnscrypt-howto.html Yes, that's an option, though it does just move your trust from the ISP to the dnscrypt server operator. Checking dnssec (which you can do on a local recursive resolver, even if it's forwarding through an isp or dnscrypt server) at least helps for domains which sign their zones.
Re: DNS hijacking (was Re: Is this an intrusion?)
Hi, Depending on how "evil" the ISP is, or how you want to obfuscate your metadata, you might want to have a look at dnscrypt https://blog.ipredator.se/openbsd-dnscrypt-howto.html On 18 June 2017 at 10:59, Stuart Hendersonwrote: > On 2017-06-17, Paul Suh wrote: > > Folks,=20 > > > > My understanding of the way that this is done is by returning a CNAME = > > when the ISP's DNS recursive DNS server would otherwise return a = > > NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = > > reach the host via the bogus CNAME.=20 > > > > My question is would running my own internal recursive DNS resolver be = > > sufficient to stop this from happening? (I run my own DNS server anyway, > = > > but I'm curious to see whether it would be sufficient to bypass the = > > search page redirection stupidity.)=20 > > Usually that's enough, but it depends how evil the ISP is. > > -- Regards, -- Rui Ribeiro Senior Linux Architect and Network Administrator ISCTE-IUL https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
Re: DNS hijacking (was Re: Is this an intrusion?)
On 18/06/2017 10:59, Stuart Henderson wrote: > On 2017-06-17, Paul Suhwrote: >> Folks,=20 >> >> My understanding of the way that this is done is by returning a CNAME = >> when the ISP's DNS recursive DNS server would otherwise return a = >> NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = >> reach the host via the bogus CNAME.=20 >> >> My question is would running my own internal recursive DNS resolver be = >> sufficient to stop this from happening? (I run my own DNS server anyway, = >> but I'm curious to see whether it would be sufficient to bypass the = >> search page redirection stupidity.)=20 > > Usually that's enough, but it depends how evil the ISP is. > Should give them a call and have it turned off anyway really...
Re: DNS hijacking (was Re: Is this an intrusion?)
On 2017-06-17, Paul Suhwrote: > Folks,=20 > > My understanding of the way that this is done is by returning a CNAME = > when the ISP's DNS recursive DNS server would otherwise return a = > NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = > reach the host via the bogus CNAME.=20 > > My question is would running my own internal recursive DNS resolver be = > sufficient to stop this from happening? (I run my own DNS server anyway, = > but I'm curious to see whether it would be sufficient to bypass the = > search page redirection stupidity.)=20 Usually that's enough, but it depends how evil the ISP is.
DNS hijacking (was Re: Is this an intrusion?)
On Jun 16, 2017, at 9:32 PM, Joe Holdenwrote: > > It is done by the VM dns servers, if you visit a domain that doesn't > exist you should be directed to the advanced search page, there *should* > be a link to disable it there, but if not login to your account and > disable it, can't remember what it is called... > > Hosts file won't solve the problem really since anything else will also > get the same result Folks, My understanding of the way that this is done is by returning a CNAME when the ISP's DNS recursive DNS server would otherwise return a NXDOMAIN result, followed by a HTTP 302 when the browser attempts to reach the host via the bogus CNAME. My question is would running my own internal recursive DNS resolver be sufficient to stop this from happening? (I run my own DNS server anyway, but I'm curious to see whether it would be sufficient to bypass the search page redirection stupidity.) Thanks for any insights. --Paul smime.p7s Description: S/MIME cryptographic signature