zlacker

[parent] [thread] 11 comments
1. regner+(OP)[view] [source] 2019-05-04 18:50:01
Cloudflare returns a proper response for me.

  nslookup archive.is 1.1.1.1
  Server:  1.1.1.1
  Address: 1.1.1.1#53

  Non-authoritative answer:
  Name: archive.is
  Address: 134.119.220.26
replies(4): >>akerro+L1 >>1f60c+R1 >>V99+w4 >>logixl+pp
2. akerro+L1[view] [source] 2019-05-04 19:04:41
>>regner+(OP) 

    dig @1.1.1.1 archive.is
    
    ; <<>> DiG 9.14.1 <<>> @1.1.1.1 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1452
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             2998    IN      A       127.0.0.4

    ;; Query time: 52 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Sat May 04 21:03:36 CEST 2019
    ;; MSG SIZE  rcvd: 55

    dig @8.8.8.8 archive.is

    ; <<>> DiG 9.14.1 <<>> @8.8.8.8 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5893
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             299     IN      A       94.16.117.236

    ;; Query time: 79 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat May 04 21:04:28 CEST 2019
    ;; MSG SIZE  rcvd: 55
3. 1f60c+R1[view] [source] 2019-05-04 19:05:15
>>regner+(OP)
Not for me:

    Server:  1.1.1.1
    Address: 1.1.1.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 127.0.0.4
4. V99+w4[view] [source] 2019-05-04 19:30:02
>>regner+(OP)
It's possible your ISP is intercepting all traffic for port 53 and sending it to their own nameservers (which do send client subset) instead of you actually taking to cloudflare's 1.1.1.1 at all.
replies(1): >>abtinf+n7
◧◩
5. abtinf+n7[view] [source] [discussion] 2019-05-04 19:52:03
>>V99+w4
Links for documented instances of this practice?
replies(4): >>V99+D9 >>AndyMc+Nb >>andrea+lG >>lultim+pT
◧◩◪
6. V99+D9[view] [source] [discussion] 2019-05-04 20:09:46
>>abtinf+n7
I don't know of any particular popular concrete instance, but why is it hard to believe? It's trivial to implement and would be brought to you by the same people who think serving ads for NXDOMAIN is a good idea.

https://www.dnsleaktest.com/what-is-transparent-dns-proxy.ht...

replies(1): >>abtinf+za
◧◩◪◨
7. abtinf+za[view] [source] [discussion] 2019-05-04 20:17:05
>>V99+D9
That link was useful, thank you. I don't find it hard to believe technically, but it strikes me as a fundamentally different practice than what I'd head of before. If I request for traffic to go to a certain IP, I expect it to be sent to that IP. MITMing and manipulating that traffic is bad, but not delivering it at all is qualitatively different. I suspect it could be grounds for a serious civil or criminal action.
replies(1): >>LogicX+us
◧◩◪
8. AndyMc+Nb[view] [source] [discussion] 2019-05-04 20:25:41
>>abtinf+n7
https://labs.ripe.net/Members/babak_farrokhi/operator-level-...
9. logixl+pp[view] [source] 2019-05-04 23:15:34
>>regner+(OP)
If you don't mind could you look through: https://ooni.torproject.org/about/risks/

And if they sound acceptable run https://ooni.torproject.org/install/

It'll show you more about likely interception of your traffic.

◧◩◪◨⬒
10. LogicX+us[view] [source] [discussion] 2019-05-04 23:55:38
>>abtinf+za
I can confirm we run across transparent dns proxying with customers at DNSFilter all the time. Mobile carriers are the worst for doing this.

A few days ago it was a customers compromised router doing it.

◧◩◪
11. andrea+lG[view] [source] [discussion] 2019-05-05 03:49:28
>>abtinf+n7
ISPs in several countries I've been to do this to blacklist "objectionable" sites (which apparently includes reddit now) at the DNS level. Turning on DNS-over-HTTPS solves that.
◧◩◪
12. lultim+pT[view] [source] [discussion] 2019-05-05 08:54:39
>>abtinf+n7
I have personal witnessed this happening with Wind-Infostrada in Italy. DNS spoofing was done through the ISP provided fiber modem/router though, not at the ISP level; if you actually changed the DNS servers on the router than it would send all your queries to those routers instead of the ISP ones.

I couldn't figure out if this was plain incompetency, an attempt to enforce DNS-based website blocking, or some programmer willfully implementing the latter with the former so that it would be reasonably easy to circumvent.

Also Italian residential providers really, really like to mess with NXDOMAIN instead returning a helpful error page with affiliate links instead. You might think you can imagine how much shit this breaks; you probably don't.

[go to top]