You might not have noticed, but there are chances that your ISP is playing nasty tricks with your DNS traffic.
The answer to the above question used to be difficult. You had to be an expert to find out the answer. In fact, most people don’t even notice, nor care.
Playing with the dnstraceroute tool (see on GitHub ), I noticed that it is a common practice for service providers to hijack and redirect DNS traffic to their local DNS servers. So if you thought you were using Google’s Public DNS Server or Verisign's , you may want to think twice.
Following is a couple of examples, going through my favourite VPN Tunnel service provider:
% ./dnstraceroute.py -q -s 18.104.22.168 yahoo.com
1 google-public-dns-a.google.com (22.214.171.124) 159 ms
% ./dnstraceroute.py -q -s 126.96.36.199 yahoo.com 1 a.resolvers.level3.net (188.8.131.52) 127 ms
I am obviously not one-hop away from all DNS servers in the world.
So I thought maybe they have a list of well-known public DNS servers and doing a routing trick based on destination IP addresses.
Then I tried tracing to various random IP addresses (not DNS servers) but the results were the same, which is really interesting. The next idea was that they were basically redirecting all UDP/53 traffic. So I changed the port number to test this hypothesis:
% ./dnstraceroute.py -q -p 55 -s 184.108.40.206 yahoo.com 1 a.resolvers.level3.net (220.127.116.11) 133 ms
Wow! The trick is even more sophisticated than a simple IP address or port-based policy. In fact, every DNS request aside from the destination IP address or port number is redirected. So there should be a layer 7 inspection or DPI in place, which is a clever (and scary) idea.
This is perhaps done to filter out suspicious DNS requests.
You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons. But if they are inspecting my DNS traffic up to layer 7, they can also see everything else , unless it is encrypted.
If you are really concerned about your DNS traffic being intercepted (and you should be) or if you want to decouple your DNS traffic from web traffic, it is highly recommend to use DNSCrypt with your trusted DNS resolver. The IETF has also been working to standardize DNS encryption, but it takes time to adopt this new extension. (see: RFC 7858 )
Perhaps you already have a virtual machine idling somewhere on the Internet. Maybe it's time to install and configure an Unbound DNS resolver and secure it with DNSCrypt. Tempted to use Public DNSCrypt servers instead of your own setup? That’s another mistake you better not make. If you insist on using a public DNS server, you may want to use the DNSDiag tools to see how much you can trust your ISP.