Home / server / Questions / 887561
Accepted
Frank Barcenas
Asked: 2017-12-12 09:33:07 +0800 CST

Is there an Internet Organization to file complaints to about ISP DNS Hijacking?

  • 772

I have a router with two WAN connections from different ISPs. When I query 8.8.8.8 for a domain from ISP-A I get a completely different reply, from when I query 8.8.8.8 for the same domain from ISP-B.

I am beginning to think that one of them is rerouting the traffic from 8.8.8.8 and 8.8.4.4 to their own DNS servers to avoid carrying that bandwidth on their main pipes. So changes made to the IP of a domain would not show up as quickly on the one that is re-routing the traffic I suppose.

If the ISP won't do anything about it, is there anyone to complain to like maybe ICANN or LACNIC or ARIN? Who regulates ISPs? How would I go about gathering evidence? DIG screen captures?

domain-name-system

1 Answers

  1. Best Answer

    I know of zero countries in the world that have a regulatory body that both a) cares and b) has the power to penalize IP spoofing foul play.

    The international organizations all lack b), and on federal level you probably wont be successful either, for example:

    FCC (USA) is probably the most popular one, which does care to some degree and will gladly register your formal customer complaints, then recommend you deploy DNSSEC to mitigate security issues and admit that they have zero power over ISPs.

    Bundesnetzagentur (Germany) which falls into the "has the power" group (they do prosecute phone number spoofing, low internet speed, illegal ToC) has recently (in a similar case) expressly told me that they could not care less.

    So what can you do?

    • Some ISPs are well known to do this and more or less openly admit under what circumstances they do. You are likely to be able to change your contract to avoid it (e.g. most ISPs have separate end user and business contracts, the latter including fewer shenanigans).
    • German DSL ex-monopolist Telekom Deutschland has as of April 2019 stopped providing spoofed responses, apparently shortly after learning about criminal investigation proceedings about data manipulation & formal complaints on privacy grounds. They had been redirecting customers to advertising partners by supplying fake A records. Since potential sanctions from privacy violations are currently hard to estimate for companies, the threat from such provisions in GDPR etc. might be enough.

    That being said, you do not know for sure your ISP is doing that yet, your test is inadequate, the speed at which queries are updated is not deterministic, not even for googles 8.8.8.8 (which obviously is NOT a single machine, and does not necessarily run the same setup for every machine, see https://peering.google.com/). Some equally inadequate (because only catching a few special cases) tests are:

    • Google goes SERVFAIL for dig version.bind chaos txt @8.8.8.8, but caching resolvers in between will often respond (usually something borderline rude).
    • Query for a domain name that isnt properly encoded or otherwise invalid in its respective TLD (dig ?.com. in TXT @8.8.8.8) - Google will say NXDOMAIN, other resolvers will say SERVFAIL.
    • If your ISP is doing it for all and any DNS queries, not just the google ones, you might verify by setting up a simple dns resolver (something like dnsmasq --no-resolv --server /example.com/127.0.0.8/ --bind-interfaces --listen-address 192.0.2.1 --log-queries) and then look who is querying it when you access it via different ISPs (dig example.com @192.0.2.1). The most obvious clue would then be that while you queried your server directly, you have received more responses than queries showed up in your resolver log (this is how i determine if i am being MitM'd by a caching resolver).
    • 6