Re: DNS hijacking (was Re: Is this an intrusion?)
On 2017-06-19, Rui Ribeirowrote: > Depending on how "evil" the ISP is, or how you want to obfuscate your > metadata, you might want to have a look at dnscrypt > https://blog.ipredator.se/openbsd-dnscrypt-howto.html Yes, that's an option, though it does just move your trust from the ISP to the dnscrypt server operator. Checking dnssec (which you can do on a local recursive resolver, even if it's forwarding through an isp or dnscrypt server) at least helps for domains which sign their zones.
Re: DNS hijacking (was Re: Is this an intrusion?)
Hi, Depending on how "evil" the ISP is, or how you want to obfuscate your metadata, you might want to have a look at dnscrypt https://blog.ipredator.se/openbsd-dnscrypt-howto.html On 18 June 2017 at 10:59, Stuart Hendersonwrote: > On 2017-06-17, Paul Suh wrote: > > Folks,=20 > > > > My understanding of the way that this is done is by returning a CNAME = > > when the ISP's DNS recursive DNS server would otherwise return a = > > NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = > > reach the host via the bogus CNAME.=20 > > > > My question is would running my own internal recursive DNS resolver be = > > sufficient to stop this from happening? (I run my own DNS server anyway, > = > > but I'm curious to see whether it would be sufficient to bypass the = > > search page redirection stupidity.)=20 > > Usually that's enough, but it depends how evil the ISP is. > > -- Regards, -- Rui Ribeiro Senior Linux Architect and Network Administrator ISCTE-IUL https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
Re: DNS hijacking (was Re: Is this an intrusion?)
On 18/06/2017 10:59, Stuart Henderson wrote: > On 2017-06-17, Paul Suhwrote: >> Folks,=20 >> >> My understanding of the way that this is done is by returning a CNAME = >> when the ISP's DNS recursive DNS server would otherwise return a = >> NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = >> reach the host via the bogus CNAME.=20 >> >> My question is would running my own internal recursive DNS resolver be = >> sufficient to stop this from happening? (I run my own DNS server anyway, = >> but I'm curious to see whether it would be sufficient to bypass the = >> search page redirection stupidity.)=20 > > Usually that's enough, but it depends how evil the ISP is. > Should give them a call and have it turned off anyway really...
Re: DNS hijacking (was Re: Is this an intrusion?)
On 2017-06-17, Paul Suhwrote: > Folks,=20 > > My understanding of the way that this is done is by returning a CNAME = > when the ISP's DNS recursive DNS server would otherwise return a = > NXDOMAIN result, followed by a HTTP 302 when the browser attempts to = > reach the host via the bogus CNAME.=20 > > My question is would running my own internal recursive DNS resolver be = > sufficient to stop this from happening? (I run my own DNS server anyway, = > but I'm curious to see whether it would be sufficient to bypass the = > search page redirection stupidity.)=20 Usually that's enough, but it depends how evil the ISP is.