Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-19 Thread Stuart Henderson 
On 2017-06-19, Rui Ribeiro  wrote:
> Depending on how "evil" the ISP is, or how you want to obfuscate your
> metadata, you might want to have a look at dnscrypt
> https://blog.ipredator.se/openbsd-dnscrypt-howto.html

Yes, that's an option, though it does just move your trust from the ISP
to the dnscrypt server operator.

Checking dnssec (which you can do on a local recursive resolver, even
if it's forwarding through an isp or dnscrypt server) at least helps for
domains which sign their zones.

Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-19 Thread Rui Ribeiro 
Hi,

Depending on how "evil" the ISP is, or how you want to obfuscate your
metadata, you might want to have a look at dnscrypt
https://blog.ipredator.se/openbsd-dnscrypt-howto.html

On 18 June 2017 at 10:59, Stuart Henderson  wrote:

> On 2017-06-17, Paul Suh  wrote:
> > Folks,=20
> >
> > My understanding of the way that this is done is by returning a CNAME =
> > when the ISP's DNS recursive DNS server would otherwise return a =
> > NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
> > reach the host via the bogus CNAME.=20
> >
> > My question is would running my own internal recursive DNS resolver be =
> > sufficient to stop this from happening? (I run my own DNS server anyway,
> =
> > but I'm curious to see whether it would be sufficient to bypass the =
> > search page redirection stupidity.)=20
>
> Usually that's enough, but it depends how evil the ISP is.
>
>


-- 
Regards,

--
Rui Ribeiro
Senior Linux Architect and Network Administrator
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434

Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-18 Thread Joe Holden 
On 18/06/2017 10:59, Stuart Henderson wrote:
> On 2017-06-17, Paul Suh  wrote:
>> Folks,=20
>>
>> My understanding of the way that this is done is by returning a CNAME =
>> when the ISP's DNS recursive DNS server would otherwise return a =
>> NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
>> reach the host via the bogus CNAME.=20
>>
>> My question is would running my own internal recursive DNS resolver be =
>> sufficient to stop this from happening? (I run my own DNS server anyway, =
>> but I'm curious to see whether it would be sufficient to bypass the =
>> search page redirection stupidity.)=20
> 
> Usually that's enough, but it depends how evil the ISP is.
> 

Should give them a call and have it turned off anyway really...

Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-18 Thread Stuart Henderson 
On 2017-06-17, Paul Suh  wrote:
> Folks,=20
>
> My understanding of the way that this is done is by returning a CNAME =
> when the ISP's DNS recursive DNS server would otherwise return a =
> NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
> reach the host via the bogus CNAME.=20
>
> My question is would running my own internal recursive DNS resolver be =
> sufficient to stop this from happening? (I run my own DNS server anyway, =
> but I'm curious to see whether it would be sufficient to bypass the =
> search page redirection stupidity.)=20

Usually that's enough, but it depends how evil the ISP is.

DNS hijacking (was Re: Is this an intrusion?)

2017-06-17 Thread Paul Suh 
On Jun 16, 2017, at 9:32 PM, Joe Holden  wrote:
> 
> It is done by the VM dns servers, if you visit a domain that doesn't
> exist you should be directed to the advanced search page, there *should*
> be a link to disable it there, but if not login to your account and
> disable it, can't remember what it is called...
> 
> Hosts file won't solve the problem really since anything else will also
> get the same result

Folks, 

My understanding of the way that this is done is by returning a CNAME when the 
ISP's DNS recursive DNS server would otherwise return a NXDOMAIN result, 
followed by a  HTTP 302 when the browser attempts to reach the host via the 
bogus CNAME. 

My question is would running my own internal recursive DNS resolver be 
sufficient to stop this from happening? (I run my own DNS server anyway, but 
I'm curious to see whether it would be sufficient to bypass the search page 
redirection stupidity.) 

Thanks for any insights. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature