5
1
Running "nslookup google.com 8.8.8.8" yields IPs of my ISP (as Non-authoritative answer). I think this started occurring recently. Probably they are making cache or something, as nearest Google data center is quite far away.
First of all, how is that even possible? I thought the worst they could do is block me from sending a DNS request to 8.8.8.8 (say by blocking remote port 53), but how can they trick 8.8.8.8 from sending me a correct address?
Second, how can I bypass this, if at all?
Thanks
EDIT:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\asdf nslookup google.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4017:801::1006
212.199.205.232 212.199.205.242 212.199.205.222 212.199.205.237 212.199.205.231 212.199.205.241 212.199.205.212 212.199.205.227 212.199.205.247 212.199.205.246 212.199.205.251 212.199.205.221 212.199.205.217 212.199.205.236 212.199.205.226 212.199.205.216
C:\Users\asdf>
And using DNSCrypt (with and without option of DNSCrypt over port 443):
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\asdf>nslookup google.com
1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 127.0.0.1
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4017:800::1008 212.199.205.242 212.199.205.247 212.199.205.237 212.199.205.232 212.199.205.231 212.199.205.226 212.199.205.217 212.199.205.212 212.199.205.227 212.199.205.241 212.199.205.236 212.199.205.246 212.199.205.216 212.199.205.251 212.199.205.221 212.199.205.222
C:\Users\asdf>
Formatting is a bit off, sorry about that.
What IPs is it returning? It's actually quite trivial for an ISP to intercept the connection to
8.8.8.8
(or any non-encrypted connection) and inject whatever data they want; However, that kind of hijacking would be suicide for an ISP's reputation. – Darth Android – 2013-08-07T21:48:46.253It returns some of the ISP addresses, the exact IP is not really relevant I guess. This is not the US or western Europe btw, so ISP can do whatever they want without anyone even noticing something is wrong. – ctlaltdefeat – 2013-08-07T21:58:46.810
If you remind me how to copy the contents of CMD on Windows, I'll paste the results. – ctlaltdefeat – 2013-08-07T21:59:20.030
So you're also saying that if you go to google.com, it redirects to one of the IPs you get returned in your nslookup? All systems? One system? This could easily be a trojan or virus which is redirecting – ernie – 2013-08-07T22:00:59.780
http://whois.net/ip-address-lookup/212.199.219.251 – ctlaltdefeat – 2013-08-07T22:02:06.343
One of the addresses I get, and it's registered to my ISP. I also somehow doubt this trojan would be serving me HD youtube videos from this address (probably acting as a cache). :P – ctlaltdefeat – 2013-08-07T22:02:44.813
“remind me how to copy the contents of CMD” –– If you have Quick Edit enabled, just select as you would in any other program, and right-click to copy. Otherwise, right click -> “Mark”, then select, and (I believe) if you type (Enter) it will copy. – Scott – 2013-08-07T22:15:33.507
Are you sure those arn't real IP's of Google's of machines that are co-located near your ISP (or even in your ISP itself if the ISP is a bigger one)? – Scott Chamberlain – 2013-08-07T22:37:17.620
Hmm, no I'm not sure. I just tried to nslookup from a third party EU service, www.ping.eu. Also there, it resolved to some IP that doesn't appear to belong to Google. I guess some of these IPs may indeed belong to Google. I was just expecting them to be from Google's known ranges of IPs – ctlaltdefeat – 2013-08-07T22:39:17.497
@ctlaltdefeat Like many things, it started happening when someone realized they could use it for their advantage, and nobody made any noise about the issue. – Darth Android – 2013-08-07T22:59:14.377