Why google dns give the wrong name server for these adult domains

This is a continuation of question How to track which DNS my computer is using

My ISP following government orders, block adult sites. Usually it's easy to penetrate the blocking. Just use google name server. Recently the method doesn't work anymore.

So I used nslookup.

This is what I got

C:\Users\TOSHIBA>nslookup
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> pornhub.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    pornhub.com
Address:  202.73.99.3

> adultfriendfinder.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    adultfriendfinder.com
Address:  202.73.99.3

default server is clearly 8.8.8.8

Yet both adultfriendfinder.com and pornhub.com has a 202.73.99.3 address

Whats going on?

Does google DNS comply with my stupid country's legislation?

I do not think adultfriendfinder.com is hosted at 202.73.99.3

Just to make sure I go to dnsdigger

Look

https://www.dnsdigger.com/hostcollision.php?host=adultfriendfinder.com&token=732cc94b465c112e505835e7ac21e6713d0186d4

user4951

Posted 2015-01-30T23:04:15.217

Reputation: 3 015

2It's quite easy for your ISP to intercept DNS traffic to Google and reply instead. – user2313067 – 2015-01-30T23:43:05.843

If that IP address is not in fact valid, you should specifically mention it. In general, there's nothing unusual about two different domain names having the same IP address. – kreemoweet – 2015-01-31T03:16:29.040

Yea and all porn domains have the same IP addresses. Can you confirm that it's fake. I think its fake – user4951 – 2015-01-31T10:35:08.610

202.73.99.3 appears to be a redirect page for First Media for banned sites so yes, "fake". BTW looking at this as a not-entirely-clueless outsider the people who set this up do not appear to be "at the top of their game". – davidgo – 2015-01-31T11:13:32.770

Another IP you might find interesting is 31.192.117.132. From what I've googled, this seems more likely to be an ISP level block, rather then Google being co-opted. – davidgo – 2015-01-31T11:19:11.053

Answers

Try doing the same test with multiple dns servers
If they are all giving you the wrong ip then what is likely happening is that your isp is manipulating your dns traffic to 8.8.8.8
You can get around this with software like dnscrypt (https://www.opendns.com/about/innovations/dnscrypt/) and dnssec (find an addon for your browser of choice)

ninjarai4

Posted 2015-01-30T23:04:15.217

Reputation: 58

DNS queries and responses are not authenticated or encrypted, you can't know for certain whether the request you sent out isn't modified, or whether the response you get back isn't modified. Your ISP can potentially change them on the fly without you knowing.

If you want to get unmodified responses, you can use a web-based DNS tool behind https. Here's one tool

Alex

Posted 2015-01-30T23:04:15.217

Reputation: 824

It is probably a bit difficult to answer - I should point out to you that 8.8.8.8 will answer differently depending where you are - ie it may be routed to a different set of servers. If Google is in your country they are most likely filtering the queries in line with dicates from the government.

The alternative explanation - which is at least equally likely - is that your ISP is intercepting all outbound requests on port 53 and redirecting these through their nameservers which are doing the blocking.

The easiest way to do this might be to find an obscure recursive nameserver and set your system to use that. Unfortunately thats not a good idea because nameservers should generally not answer for IP ranges they are not familiar with as they can be used for DoS attacks. This makes it pretty hard to do unless you can work with someone outside your country.

You can try the following to work arround the blockage:

Use a VPN.
Use a proxy service
Use TOR.
Use a hosts file (but this will limit your flexibility).

Note that doing any of the above may be illegal in your country depending on the laws. From a technical point of view using a VPN or TOR are safer options as encryption between yourself and the "break out point" of the VPN or tor exit node makes it very difficult to see where you are going, while on the other hand the IP address (and possibly payload) will still be present if you use a proxy service or hosts file.

I've not used it, but you may also be able to get a browser plugin to bypass this - Googling discovered Hola and Proxmate. Again, probably not as safe as using a VPN.

davidgo

Posted 2015-01-30T23:04:15.217

Reputation: 49 152

to hell with the law. I'll check host files. Now I wonder how do I know the real IP address of adultfriendfinder.com – user4951 – 2015-01-31T10:36:32.887

You might want to consider the hassles related to you being put on secret watchlists and/or being stomped on for breaking the law if caught - using a VPN is good insurance. You might find the IP address 208.88.180.72 interesting. Also, http://mxtoolbox.com/DNSLookup.aspx for other domain lookups.

– davidgo – 2015-01-31T11:04:49.807

I do not know the answer for sure. It seems that google open dns is compromised. Perhaps google kow tow to my country's legislation. That seems to be my theory for now. However, google dns works for another ISP.

In any case, I change the DNS I use to:

209.244.0.3

And things are working fine.

user4951

Posted 2015-01-30T23:04:15.217

Reputation: 3 015