Geekly Articles each Day
📜 ⬆️ ⬇️

DNS provider substitution

Prehistory

After the adoption of well-known laws in our country, I go online through a Western VPN server.

Yesterday, due to some problems with the main provider, I temporarily switched to a provider called Dom.ru.

Today, I climbed on Google and searched for some information on cactus care. One of the links led me to the psy ***** s.org site. There, as it turned out, they are selling "substances" with might and main. And cacti also sell, but quite specific.
')
But, I learned about this later, but at first, I was shocked by showing me the page “access to this resource was blocked ...” with the Dom.RU logo.

Since I bought a VPN, I have not seen such pages at all, for obvious reasons.

Investigation

To begin with, I decided to check if my VPN works?
Checked the dumbest way - went to the site my-ip.ru. I saw my own Dutch IP, therefore everything is fine with the VPN.

Began to understand further. The idea that Dom.RU could somehow pick up ssl, I dismissed immediately.

Checked the route using traceroute. The route to the site psy ***** s.org leads, as expected, through my VPN server, and then leads to the DOMRUShnuyu stub with the address 92.255.241.100.

Remains CSN. But, on my home server the bind caching DNS server is configured, and Google 8.8.8.8 and 8.8.4.4 are specified as forwarders. There is only one “but”: access to these servers goes through an open channel.

Checking:

ksh@master:~$ nslookup > server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > psy*****s.org Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: psy*****s.org Address: 92.255.241.100


Now, we wrap the traffic to external DNS servers through VPN and check again:

 ksh@master:~$ nslookup > server 8.8.8.8 Default server: 8.8.8.8 Address: 8.8.8.8#53 > psy*****s.org Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: psy*****s.org Address: 37.252.124.170


The situation is clear.

I think there is no point in discussing the moral, ethical and legal side of the provider’s actions. In fact, we are talking about the attack MITM.

What to do?

Using DNSSEC is not an option, although Google’s public servers support this protocol. Yes, fake answers will not pass validation, and as a result, your DNS will simply fall off.

Only one way out - to encrypt traffic to public DNS servers in any way.

Interesting is also the position of Google on this issue.

Source: https://habr.com/ru/post/320700/

More articles:


All Articles