[dns-operations] new public DNS service: 9.9.9.9

[Babak Farrokhi]

On 20 Nov 2017, at 15:58, Noel Butler wrote:

> ISP's I've been with in times gone by have often "hijacked" open DNS resolvers, to ensure their users get best experience by using their own DNS servers. not a thing likes of google etc, can do about it. for instance, with the new laws in Australia, you'll find plenty localising googles and opendns's resolvers ip's to enforce and satisfy court directions from copyright orders
>
> also allows them to use RPZ's to stop their users from going to phishing sites and so on, most users wouldnt know the difference, nor care.

I have seen many instances of this DNS sinkholing from different parts of the world. Running a quick measurement using RIPE Atlas [1] from ~500 probes around the world to query maxmind.test-ipv6.com from 9.9.9.9. This reveals the source IP address and AS Number of the resolver’s public address. I expect the public IP address to originate from WoodyNet (AS42). However I can see different probes across Europe and Middle-east that their traffic toward Quad9 is sinkholed to a local resolver.
I have also seen cases of selective sinkholing, based on query (e.g. certain domain names).

One can reveal (and verify) the public IP address of the Quad9 like this:

% dig +short TXT maxmind.test-ipv6.com @9.9.9.9
"ip='2620:171:f8:f0::3' as='42' isp='WoodyNet' country='US'"

Or do a dnstraceroute [2] to find out where your actual DNS traffic is being redirected, in case of hijacking.


[1] https://atlas.ripe.net/api/v2/measurements/10212923/results/?start=1510876800&stop=1510963199&format=json
[2] https://github.com/farrokhi/dnsdiag

Kind Regards,

-- 
Babak Farrokhi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171121/2551df17/attachment.sig>