Previously malaysian telcos already hijack dns query when we're using their default dns server, its no secret. When trying to access gov sanctioned sites like p0rn or sarawak today etc, instead of replying with correct dns record they'll route our query to mcmc block page. But now they've taken a step further by hijacking our query even when we're using either google dns or cloudflare dns.

Source 1
Source 2

I guess this is possible if we're only using the cleartext dns of both google dns and cloudflare dns ie

google dns:


cloudflare dns:


Haven't tested myself but I'm 100% sure the and are hijacked since both are the popular dns ip for google dns and cloudflare dns. Others on the list might be hijacked too depending on telco network admins.

But basically people, its high time we should stop using cleartext dns. Its unsecured and hijackable. Start using encrypted dns everywhere.

Theres plenty of them listed here. You'd want to use either the dns-over-https aka doh or dns-over-tls aka dot.

Modern system already support using those encrypted dns protocol ie android natively via setting. Should be listed as in phone setting. You should add a dns-over-tls server here, omit the from uri if you copy paste from the list above.

Ios and mac is native too via dns profile. If prefer app can use dnsecure.

Linux can natively too if install any local forwarding dns server like bind9 or dnsmasq. If prefer gui, theres technitium dns server and adguardhome.

Windows can use yoga dns server.

Ty for attending my ted talk lmao.

This post has been edited by axxer: Aug 8 2024, 11:53 AM

TIME Home Fibre (No Hijack on my side) :





Digi 4/5G (Hijacking IPV4:53 , IPV6:53 normal) :



Maxis 4/5G (Hijacking Google DNS IPV4 / IPV6 :53, other DNS server normal) :

Thanks a bunch. Now using FreeDNS via DoH.

MCMC Statment

https://x.com/Soya_Cincau/status/1821520438973116758

So, they say it's for "safety"

But the thing is

Ok, sure, feel free to block on TM/Maxis/TIME DNS

But if the user has made a conscious effort to CHANGE their DNS to CF/Google/etc
DON'T HIJACK IT BACK

For windows must install software? Can it be done in settings or something?

If windows 11, yes, can enter DNS Over HTTPS address into the DNS settings

If older, then installing YogaDNS is a good choice

Papa said don't try to climb walls. It's bad for you, your family and your kids. Pretty good advice overall.
Big brother don't want you to land in hospital je....

If you don't listen to Papa then you're a bad boy, Papa will ask police to arrest you.

change DNS in router so that any device connected will be adblock ready.

Lets go, but I think most Tplink router users wont have such luck?

I already configure two Windows 11-based laptop and a android phone of mine use DoH by default. Of course I am using Google DNS.

This post has been edited by Jjuggler: Aug 9 2024, 03:06 PM

I using tm provide router....
Got way to unblock?
The white router.....az-tech I think...

Host adguard on a pc or raspberry pi. Set upstream server to use DoT or DoH. Make the router use the adguard as main DNS.

Suprisingly, TP-Link does have DoH/DoT

But only on an extremely limited selection of models
1 AX model and a few AC models

https://community.tp-link.com/en/home/forum/topic/617138

At this rate, everyone will be using v2ray in a couple of years.

This will not slow down the internet, right?

Based on my testing using Control D, encrypted and unencrypted DNS has the same resolution time.
However, the first lookup will be much slower at 112ms vs 20ms unencrypted due to the need to establish the secure connection.

I do recommend prioritizing security over pure speed as DNS poisoning is one of the many ways to install malware on your device.

The performance penalty only happen once during connection establishment, it is not critical.

It wouldn't. Technically encrypted dns is slower than cleartext dns due to the encryption but its negligible on modern hardware you wouldn't even notice. Hell if you use adblocking dns server its faster since you wouldn't load all the ads and craps. I've been blocking ads via dns since 10+ years and vanilla internet without adblock is unuseable to me now.

Let me know if I've configured it correctly. I disabled my ipv6. Thus, I didn't include the ipv6 address. Thanks.

Based on my nmap scan, the domain should be:
dns.adguard.com
EDIT:
If you connect without SNI it will serve you certificate with dns.adguard.com.
With SNI it will serve certificate with dns.adguard-dns.com.
So both works.

Prevent client auto DoH must be set to off. Otherwise Encrypted Client Hello won't work. You want ECH to work on a highly censored network because it prevent the censor from snooping on your SNI.

Unknown:
Did anyone actually MITM or pen test this thing? Given the recent development of TM where they MITM DoH and DoT, the router must absolutely verify the certificate properly.
On Mikrotik, none of this is done!

This post has been edited by kwss: Aug 9 2024, 09:41 PM