Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-19 Thread Stuart Henderson
On 2017-06-19, Rui Ribeiro  wrote:
> Depending on how "evil" the ISP is, or how you want to obfuscate your
> metadata, you might want to have a look at dnscrypt
> https://blog.ipredator.se/openbsd-dnscrypt-howto.html

Yes, that's an option, though it does just move your trust from the ISP
to the dnscrypt server operator.

Checking dnssec (which you can do on a local recursive resolver, even
if it's forwarding through an isp or dnscrypt server) at least helps for
domains which sign their zones.



Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-19 Thread Rui Ribeiro
Hi,

Depending on how "evil" the ISP is, or how you want to obfuscate your
metadata, you might want to have a look at dnscrypt
https://blog.ipredator.se/openbsd-dnscrypt-howto.html

On 18 June 2017 at 10:59, Stuart Henderson  wrote:

> On 2017-06-17, Paul Suh  wrote:
> > Folks,=20
> >
> > My understanding of the way that this is done is by returning a CNAME =
> > when the ISP's DNS recursive DNS server would otherwise return a =
> > NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
> > reach the host via the bogus CNAME.=20
> >
> > My question is would running my own internal recursive DNS resolver be =
> > sufficient to stop this from happening? (I run my own DNS server anyway,
> =
> > but I'm curious to see whether it would be sufficient to bypass the =
> > search page redirection stupidity.)=20
>
> Usually that's enough, but it depends how evil the ISP is.
>
>


-- 
Regards,

--
Rui Ribeiro
Senior Linux Architect and Network Administrator
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434


Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-18 Thread Joe Holden
On 18/06/2017 10:59, Stuart Henderson wrote:
> On 2017-06-17, Paul Suh  wrote:
>> Folks,=20
>>
>> My understanding of the way that this is done is by returning a CNAME =
>> when the ISP's DNS recursive DNS server would otherwise return a =
>> NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
>> reach the host via the bogus CNAME.=20
>>
>> My question is would running my own internal recursive DNS resolver be =
>> sufficient to stop this from happening? (I run my own DNS server anyway, =
>> but I'm curious to see whether it would be sufficient to bypass the =
>> search page redirection stupidity.)=20
> 
> Usually that's enough, but it depends how evil the ISP is.
> 

Should give them a call and have it turned off anyway really...



Re: DNS hijacking (was Re: Is this an intrusion?)

2017-06-18 Thread Stuart Henderson
On 2017-06-17, Paul Suh  wrote:
> Folks,=20
>
> My understanding of the way that this is done is by returning a CNAME =
> when the ISP's DNS recursive DNS server would otherwise return a =
> NXDOMAIN result, followed by a  HTTP 302 when the browser attempts to =
> reach the host via the bogus CNAME.=20
>
> My question is would running my own internal recursive DNS resolver be =
> sufficient to stop this from happening? (I run my own DNS server anyway, =
> but I'm curious to see whether it would be sufficient to bypass the =
> search page redirection stupidity.)=20

Usually that's enough, but it depends how evil the ISP is.