[dns-operations] Hijacking of Google Public DNS in Turkey documented

Alexander Neilson alexander at neilson.net.nz
Sun Mar 30 02:12:50 UTC 2014


My reason for suggesting this was the use of the ripe atlas nodes which would make doing a DNS lookup the easiest one to task these nodes to conduct. 

In other respects (I.e. When asking users) then I agree with you. 

Regards

Alexander

Alexander Neilson
Neilson Productions Ltd
Alexander at Neilson.net.nz
021 329 681

> On 30/03/2014, at 2:20 pm, Colm MacCárthaigh <colm at stdlib.net> wrote:
> 
> 
> You're right, one of the many whoami records would work too, but I usually avoid those for two reasons;  1. users mostly don't know how to make DNS queries and often copy the wrong IP address back in their reports, and 2) the response is cacheable and so unreliable when your resolver has multiple IPs, or if you're testing several resolvers from behind a caching stub resolver. So I wrote the HTTP/Javscript interface with a cache buster to get rid of the problem.
> 
> HackerNews user  erhanerdogan got back to me with a report: https://news.ycombinator.com/item?id=7494650 
> 
> Which looks like Google/OpenDNS are being replaced, rather than MITM'd or proxied. But I'd still be interested in more data. 
> 
> 
> 
>> On Sat, Mar 29, 2014 at 6:08 PM, Alexander Neilson <alexander at neilson.net.nz> wrote:
>> Other option here is to do a lookup at whoami.akamai.com and the DNS result is the IP address they got the DNS request from. 
>> 
>> Regards
>> 
>> Alexander
>> 
>> Alexander Neilson
>> Neilson Productions Ltd
>> Alexander at Neilson.net.nz
>> 021 329 681
>> 
>>> On 30/03/2014, at 1:51 pm, Colm MacCárthaigh <colm at stdlib.net> wrote:
>>> 
>>> Does anyone know if the intercepting recursors are acting as standalone recursive nameservers, or if they are passing on the un-interesting queries to the "real" Google / OpenDNS resolvers?  
>>> 
>>> One way to tell is to observe the addresses being used towards authoritative name-servers.  http://whatsmyresolver.stdlib.net/ is one way to see this address. I'd be interested in the results, if anyone is in a position to test. 
>>> 
>>> 
>>>> On Sat, Mar 29, 2014 at 1:46 PM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>>>> http://www.bortzmeyer.org/dns-routing-hijack-turkey.html
>>>> 
>>>> (with the help of RIPE Atlas probes)
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>> 
>>> 
>>> 
>>> -- 
>>> Colm
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> 
> -- 
> Colm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140330/9b892d51/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6151 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140330/9b892d51/attachment.bin>


More information about the dns-operations mailing list