31

There are websites which claim to do "DNS leak tests". I don't care so much about DNS leaks but am curious, how does the website know which DNS server I am using? I guessed it would be a header sent in the HTTP request but wasn't able to find it.

Example website: https://www.dnsleaktest.com/

EDIT: there are plenty of other examples found through a google search.

Craigxyz
  • 461
  • 5
  • 9
  • 1
    It is not a header sent as the DNS query is done before the HTTP request and does not report DNS information. It is an analysis done in JavaScript locally. Have fun reading the source code to figure out exactly how it does it: https://www.dnsleaktest.com/ana/piwik.js – Julie Pelletier Jul 13 '16 at 03:26
  • 3
    @JuliePelletier, I'm not sure if it's the linked [piwik.js](https://www.dnsleaktest.com/ana/piwik.js) where the "magic happens"; that's an analytics platform that's blocked by my browser (see screengrab below). But yes, the browser does seem to try to send the piwik tracking id to the website. – Jedi Jul 13 '16 at 03:41
  • You mean this? https://github.com/piwik/piwik/blob/master/js/piwik.js – Mardoxx Jul 13 '16 at 14:14

2 Answers2

36

This is a DNS resolution trick that could also be performed using non-http protocols but in this case is performed by using random hostnames and zero-pixel images via http.

Look at the source code on the page and you will see a series of random 10-character subdomains requested for several URL's. These are very unique hostnames which neither your computer or your ISP, or more importantly your DNS provider, will have cached in local DNS.

When these unique URL's hostnames hit your DNS provider they then have to request them from the testing companies website who then correlates the owners IP address doing the unique DNS request and then notifies you of the company name that made the request via a quick lookup

List of randomized host names all for the same domain

ixc9a5snm4.dnsleaktest.com
rhl50vm36o.dnsleaktest.com
4xov3y3uvc.dnsleaktest.com
2n5t99gbzp.dnsleaktest.com
6mzklkved4.dnsleaktest.com
d6z20e9c2x.dnsleaktest.com

can be found in the following html (your hostnames will be different)

<img width=0 height=0 src="https://ixc9a5snm4.dnsleaktest.com">.
<img width=0 height=0 src="https://rhl50vm36o.dnsleaktest.com">.
<img width=0 height=0 src="https://4xov3y3uvc.dnsleaktest.com">.
<img width=0 height=0 src="https://2n5t99gbzp.dnsleaktest.com">.
<img width=0 height=0 src="https://6mzklkved4.dnsleaktest.com">.
<img width=0 height=0 src="https://d6z20e9c2x.dnsleaktest.com">.
Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • 5
    That's interesting and I learned something new about DNS. Does this mean the same company that owns the website (e.g. dnsleaktest.com) must also own the name server that is queried (otherwise it's not like a random nameserver will give over the IP addresses for a given hostname look up). Is this common for a company/website to own it's own name server? – Craigxyz Jul 13 '16 at 05:48
  • 3
    Yes, own it or at least have access to incoming queries and yes most companies manage their own DNS too. Similar technologies are also used for tracking data theft. – Trey Blalock Jul 13 '16 at 06:00
  • 4
    Notice that it does not get the IP of our DNS provider's authoritative server (i.e. `8.8.8.8` in my case) but rather the last name server hop that sent the question to their nameserver. – Jedi Jul 13 '16 at 07:04
  • 1
    @Craigxyz while it's not that common for every domain to own it's own name server, the way it works technically is that every one of them *must* have a designated server but simply most of them choose to delegate it to someone else instead of running their own as they could. – Peteris Jul 13 '16 at 20:55
14

I didn't know about this. Extremely interesting. It seems to work by trying to generate connections to long random subdomains that it controls, and it can probably collate the domain resolution requests from the calling DNS server.

List of requests initiated by the browser that failed Fig 1: List of requests initiated by the browser that failed

Under the hood it's the standard tracking using a zero size image generator:

    <pre class="progress">Query round Progress... Servers found
        <br/>&nbsp;&nbsp;1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        <img width=0 height=0 src="https://1k9oraud8h.dnsleaktest.com">.
        <img width=0 height=0 src="https://dajo0hwg9c.dnsleaktest.com">.
        <img width=0 height=0 src="https://6crg9z68gj.dnsleaktest.com">.
        <img width=0 height=0 src="https://nwitgnyo7r.dnsleaktest.com">.
        <img width=0 height=0 src="https://z3yine4a7p.dnsleaktest.com">.
        <img width=0 height=0 src="https://2tvxmp2yd5.dnsleaktest.com">.
    </pre>

Interestingly, since I have piwik (the analytics engine used) blocked by default, all the requests failed, but my DNS servers were still identified, which means that they're relying on more than just the HTTP tracker.

Adding clarification to address @Falco's question.

The images will likely fail to load for everyone, since the subdomains don't exist. Hence, the requests are never generated (invalid DNS lookup) as you can see from the screengrabs below. The only difference in my case is that they don't receive a tracking ID.

The domain name never resolves Fig 2: The domain name never resolves for any of the subdomains

Hence the HTTP requests are never made by the browser Fig 3: Hence the HTTP requests are never made by the browser

Since I cannot access the backend, I'm just guessing about what happens behind the scene. They probably have a hook on their DNS server that writes the source IP for each DNS Question received into their DB (perhaps this thread also does the hostname and ISP lookup before saving the data). Notice this is a DNS question and never a materialized HTTP lookup. The only thing that the central web server has to do is to return the row corresponding to the suddomains associated with my browser.

The simplest way would be a one-to-one correspondence with the tracking ID. Normally, it sends a piwik tracking cookie with a name like pk_id and there is an extra request at the end to piwik.php with a lot of tracking details. In my case this cookie is never established and the extra hop does not take place. I see no other session identification happening, I'll look more closely at it on the weekend if the community hasn't dug in.

Jedi
  • 3,906
  • 2
  • 24
  • 42
  • 1
    You should emphasize on the last part! This is interesting, any indication how they can find your DNS without the tracking-images ? – Falco Jul 13 '16 at 13:34
  • @Falco, I've edited my answer to answer your question. AFAIK the tracking images should fail for everyone (it's the DNS question that they track, not the HTTP request) – Jedi Jul 13 '16 at 14:02