0

I am using an Indian ISP, one that is notorious for DNS hijacking and script injection (BSNL). I have my router set to use Cloudflare's Family DNS. But despite this, every time I attempt to access a website that I have not accessed recently, my ISP intercepts the first request and I get diverted to an ad from the ISP. Reloading the page will result in it going through.

As far as I can understand, what is happening is that the DNS results for websites I haven't accessed recently will not be cached, and hence the ISP is intercepting the DNS request and diverting it to the ad. But how are they able to do this when the DNS request should be going to Cloudflare and not to them?

ShankarG
  • 101
  • 1
  • Does this answer your question? [Does changing DNS help prevent MITM on ISP level?](https://security.stackexchange.com/questions/213847/does-changing-dns-help-prevent-mitm-on-isp-level), [Manual DNS change](https://security.stackexchange.com/questions/40761/manual-dns-change). – Steffen Ullrich Nov 22 '21 at 07:00
  • Actually that question relates to an MITM attack on HTTPS connections. So not sure the answers are much help, since this is not an MITM attack on HTTPS, just a diversion of DNS requests. – ShankarG Nov 23 '21 at 07:41
  • The answers to the questions I've linked to cover the topic you ask. To cite from one *"ISP redirect any outgoing traffic to port 53 (DNS) to their own DNS server. This is done so that the ISP's DNS server with the implemented blacklists is enforced __even if the user has configured its own custom DNS server__. This is a bit more expensive but still scales well. But it also has the same problems for large-scale MITM. It can be worked around by using DNS over HTTPS (DoH)."* – Steffen Ullrich Nov 23 '21 at 07:44
  • Ok that makes sense, but an average user of this site may not realise that that that answer applies to this situation (I didn't :) )? Also, as noted in my comment on the answer below, DoH does not seem to address the diversion - so may be it is being done through some other method? – ShankarG Nov 23 '21 at 10:44
  • 1
    *"so may be it is being done through some other method?"* - please see the question and answers I referenced since other methods are addressed there too. – Steffen Ullrich Nov 23 '21 at 11:42

1 Answers1

2

It happends because DNS is not an encrypted protocol. ISP detects DNS request and spoofs the DNS answer. Try to use DNS-over-HTTPS and/or DNS-over-TLS to avoid this problem.

askar
  • 46
  • 2
  • 2
    "DNS over TLS" is defined and called DoT, which is different but similar from DNS over HTTPS, called DoH. However "DNS over SSL" does not exist since SSL is a protocol dead since more than 20 years now (replaced by TLS). Noone should use the term "SSL" anymore in any context. – Patrick Mevzek Nov 22 '21 at 14:39
  • I thought this might be the case, but this doesn't seem to help. When I enable DNS over HTTPS within Firefox (my router is not capable of it at present), the diversion still happens. – ShankarG Nov 23 '21 at 07:43
  • @ShankarG try to block dst port 80/tcp and 53/udp on a router, maybe some program try to connect using HTTP. for example, windows uses http://www.msftncsi.com/ncsi.txt website to check the internet connection. – askar Nov 23 '21 at 10:47