3
1
I think my ISP is intercepting NXDOMAIN requests. For instance, I type http://foo.bar.baz.foobarbaz into my address bar, and I am redirected to http://wwwwe.web-help-service.net/search?qo=foo.bar.baz.foobarbaz&rn=ml4SKlzMtBy7nWK instead.
I have set my Primary DNS address to Google Public DNS (8.8.8.8), but am still getting forwarded.
How can I test to be sure that I am correct?
What can I do?
eleven81
Posted 2009-12-03T19:12:59.377
Reputation: 12 423
1
I assume you tested with a Web browser. Not a good idea because there are many functions in the typical browser which can interfere with the detection of a lying DNS resolver.
You did not indicate which operating system you use. Assuming Unix, you probably have dig installed. Test:
dig A doesnotexistatall.com
should bring back a NXDOMAIN, depending on the setup of your default DNS resolver.
dig @8.8.8.8 A doesnotexistatall.com
should bring also NXDOMAIN and allow you to test if your access provider transparently redirects DNS requests (it should go to Google DNS).
bortzmeyer
Posted 2009-12-03T19:12:59.377
Reputation: 1 083
2
First things first, to rule out redirecting malware, if you have any other internet capable device, change it to the same DNS provider and see if you get the same results.
If you don't, you probably have malware on your pc. If you do get the same results, it is either the DNS provider or your ISP.
I have no experience with Google Public DNS as I haven't had time to mess around with it, but if you set your dns server to Opendns just for a moment and see if you get redirected to their service or that address you posted originally.
If with OpenDNS you still get redirected to your one it is likely that your ISP is redirecting people.
If you go to the OpenDNS failure page, it is probably the current DNS provider that was forwarding you to there.
Edit -
And to answer your question...
The above is how to test if it is your ISP, Malware or your DNS provider.
As for what to do, if it is your DNS provider - Switch, if it is Malware - Fix/remove it, if it is your ISP - switch!
William Hilsum
Posted 2009-12-03T19:12:59.377
Reputation: 111 572
1
Some operating systems, i.e., Microsoft Windows, maintain a DNS cache to speed up browsing. You may need to flush the cache when you change the DNS IP address(es) in your network configuration, or you may be redirected to a previously-seen ad page even after you've changed the DNS server addresses. Most 'nix systems (Unix, Linux, etc.) don't have a DNS cache, although there may be exceptions.
Phil Cooper
Posted 2009-12-03T19:12:59.377
Reputation: 11
1
When I encountered issues with this, I setup Bind to run locally within my home network. A nice feature of this it allowed me to have an authoritative server for all my internal IP addresses that doesn't require that I update /etc/hosts files on all my systems. Another benefit is having a caching DNS server within my home network.
I setup the main TLDs to be "type delegation-only" to avoid the DNS hijacking.
Link explaining the ISC Bind feature - https://www.isc.org/node/355
Darren Hall
Posted 2009-12-03T19:12:59.377
Reputation: 6 354
1
(Kind-of) fixed link: https://www.isc.org/software/bind/delegation-only.
– Lucas Jones – 2012-01-18T21:00:25.8600
I would absolutely love it if Google Public DNS or OpenDNS would accept queries on a port other than 53. That will be the end of this nonsense.
Until then, try piping your DNS queries over TOR - pretty high latency though.
If you have a bandwidth-rich friend without a boneheaded ISP, you can ask them to run a DNS forwarder on some other port and use them as a DNS server.
LawrenceC
Posted 2009-12-03T19:12:59.377
Reputation: 63 487
2+1, I also make sure to call the ISP and complain about NXDOMAIN interception. – phoebus – 2009-12-03T19:29:52.167