[dns-operations] Hijacking of Google Public DNS in Turkey documented

Colm MacCárthaigh colm at stdlib.net
Sun Mar 30 01:20:36 UTC 2014


You're right, one of the many whoami records would work too, but I usually
avoid those for two reasons;  1. users mostly don't know how to make DNS
queries and often copy the wrong IP address back in their reports, and 2)
the response is cacheable and so unreliable when your resolver has multiple
IPs, or if you're testing several resolvers from behind a caching stub
resolver. So I wrote the HTTP/Javscript interface with a cache buster to
get rid of the problem.

HackerNews user
erhanerdogan<https://news.ycombinator.com/user?id=erhanerdogan> got
back to me with a report: https://news.ycombinator.com/item?id=7494650

Which looks like Google/OpenDNS are being replaced, rather than MITM'd or
proxied. But I'd still be interested in more data.



On Sat, Mar 29, 2014 at 6:08 PM, Alexander Neilson <alexander at neilson.net.nz
> wrote:

> Other option here is to do a lookup at whoami.akamai.com and the DNS
> result is the IP address they got the DNS request from.
>
> Regards
>
> Alexander
>
> Alexander Neilson
> Neilson Productions Ltd
> Alexander at Neilson.net.nz
> 021 329 681
>
> On 30/03/2014, at 1:51 pm, Colm MacCárthaigh <colm at stdlib.net> wrote:
>
> Does anyone know if the intercepting recursors are acting as standalone
> recursive nameservers, or if they are passing on the un-interesting queries
> to the "real" Google / OpenDNS resolvers?
>
> One way to tell is to observe the addresses being used towards
> authoritative name-servers.  http://whatsmyresolver.stdlib.net/ is one
> way to see this address. I'd be interested in the results, if anyone is in
> a position to test.
>
>
> On Sat, Mar 29, 2014 at 1:46 PM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:
>
>> http://www.bortzmeyer.org/dns-routing-hijack-turkey.html
>>
>> (with the help of RIPE Atlas probes)
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs<https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>
>
>
>
> --
> Colm
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>


-- 
Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140329/6f2e197b/attachment.html>


More information about the dns-operations mailing list