[dns-operations] Identifying DNS hijacking

Alexander Dupuy alexdupuy at google.com
Mon Nov 20 22:04:18 UTC 2017

Robert Edmonds wrote:
> 'dig @ -t TXT test.dns.google.com' will return the TXT record
> "Thanks for using Google Public DNS."

Note that you may get that reply even when your DNS traffic is being
hijacked. I once had an unusual experience on a hotel Internet connection
where even after authenticating, the captive portal DNS interception
remained active, although the response replacement was disabled.

I was getting responses from authoritative servers without AA, which was
puzzling. When I checked and saw this was happening with several root and
TLD name servers as well, I realized the hotel network was (still)
hijacking the traffic and responding from a recursive resolver. I was then
quite amused to see the following:

$ dig +short TXT test.dns.google.com. @resolver1.opendns.com
"Thanks for using Google Public DNS."

Apparently, the captive portal's recursive server was forwarding to The TXT record just tells you that the resolution of the name (at
some point, possibly in the previous few seconds) passed through Google
Public DNS. It never tells you who might have handled it on the way.

Rather than using CHAOS class queries, the best way to detect hijacking is
through the EDNS nameserver ID (as mentioned recently on this list).
Unfortunately, Google Public DNS doesn't (yet?) support those either, but
right now you can use the following command to detect most indiscriminate
DNS hijacking:

$ dig +norec +noall +comment +nsid SOA @l.root-servers.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59195
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

; EDNS: version: 0, flags:; udp: 4096
; NSID: 6c 61 78 35 31 2e 6c 2e 72 6f 6f 74 2d 73 65 72 76 65 72 73 2e 6f
72 67 ("lax51.l.root-servers.org")

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171120/00bae458/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171120/00bae458/attachment.bin>

More information about the dns-operations mailing list