Previously malaysian telcos already hijack dns query when we're using their default dns server, its no secret. When trying to access gov sanctioned sites like p0rn or sarawak today etc, instead of replying with correct dns record they'll route our query to mcmc block page. But now they've taken a step further by hijacking our query even when we're using either google dns or cloudflare dns.

Source 1
Source 2

I guess this is possible if we're only using the cleartext dns of both google dns and cloudflare dns ie

google dns:


cloudflare dns:


Haven't tested myself but I'm 100% sure the and are hijacked since both are the popular dns ip for google dns and cloudflare dns. Others on the list might be hijacked too depending on telco network admins.

But basically people, its high time we should stop using cleartext dns. Its unsecured and hijackable. Start using encrypted dns everywhere.

Theres plenty of them listed here. You'd want to use either the dns-over-https aka doh or dns-over-tls aka dot.

Modern system already support using those encrypted dns protocol ie android natively via setting. Should be listed as in phone setting. You should add a dns-over-tls server here, omit the from uri if you copy paste from the list above.

Ios and mac is native too via dns profile. If prefer app can use dnsecure.

Linux can natively too if install any local forwarding dns server like bind9 or dnsmasq. If prefer gui, theres technitium dns server and adguardhome.

Windows can use yoga dns server.

Ty for attending my ted talk lmao.

This post has been edited by axxer: Aug 8 2024, 11:53 AM

It wouldn't. Technically encrypted dns is slower than cleartext dns due to the encryption but its negligible on modern hardware you wouldn't even notice. Hell if you use adblocking dns server its faster since you wouldn't load all the ads and craps. I've been blocking ads via dns since 10+ years and vanilla internet without adblock is unuseable to me now.

It should. Cloudflare warp is doh. Cloudflare warp+ is vpn+doh.

No lol. While dot is trivial to block since it uses the port 853 that literally only it use, doh use port 443. Might aswell block the entire net by blocking port 443. They can still block the endpoint, blocking the popular doh server endpoint from resolving but then ppl will just spawn their own private endpoint with own custom domain. I've been selfhosting my own private endpoint via adguardhome for a few years already.

This post has been edited by axxer: Aug 16 2024, 05:37 AM

No other country will deploy china gwf if thats your concern. That thing gobbled up $$ to maintain which my doesn't have. Even indo block is still kids play to evade. Hell theres a dedicated ppl still playing cat and mouse game with china gwf till this day with vray, xray etc.

For the site operator themselves, of course they'll get the end of the stick. We're talking about end user perspective here. If the time comes ppl will learn. Maybe not all makcik and pakcik but some would. Vpn, tor is still the easiest solution if its not gwf, which is close to impossible to happen. Doesn't even need to learlinux cli and stuff. Install client, pay if its a paid service, connect.

In a perfect world yes we all should stop using unencrypted protocol. But http, plaintext dns is still alive and kicking for backward compatibility. Many router still only support legacy plaintext dns.

But at least on modern android, Private DNS should activate by default though after 1st time boot and after reset, using google dns.

Hosting the bind9 in malaysia network and xafr icann root servers will be a problem since the icann root server only support plaintext port 53. They can theoretically poison the query to the root servers itself.

Google and cloudflare are too big for gov to outright block them. At most both will comply with gov order. If I'm not mistaken cf already complied with france order to poison query to eurocup pirate sites earlier https://torrentfreak.com/google-cloudflare-...vention-240613/

I stopped using cf, google and other big dns provider for upsteam knowing they'll comply with gov and entertainment industry request. I want my query to be vanilla as site owner intended for. For malware, virus etc i managed my own blocklist on adguardhome no need dns provider to decide for me.

Those popular dns provider aren't that reliable when it comes to these kind of block/hijack since telco can also block ip to their dns endpoint. Use smaller dns provider that flew under the radar. Cloudflare, google, quad9 is too big too popular, basically mainstream already. Smaller providers wouldn't have as much pop for anycast like the big guys, might be few ms slower but at least they works reliably without intermittent downtime.

Welp its not a mere plaintext dns hijack anymore, tm started to https sni mitm and replacing endpoint cert with their bogus cert for google and cloudflare. A dangerous precedence if they could just happy go lucky mitm port 443 and redirect to whatever crap they deem necessary and mitm replace endpoint cert with their crap. Lucky most modern browser will whine about bogus cert in this type of shenanigan.

What these morons didn't know is that some android phone will auto set private dns setting to "Automatic", it'll be using dns.google by default. Not sure whether got fallback or not but if doesn't, in this situation then whole phone internet will be down since systemwide dns is failing since its not trusting the bogus cert it got.

Being a telco cs this upcoming few days should be fun, dealing with cursing users angry about their downed internet. Talk about doing stupid shit without further thinking 🤦🤦

This post has been edited by axxer: Sep 6 2024, 10:56 PM

Yep they just posted on fb that its fixed now, but their network has been down since early morning. Either totally down or intermittent slow. I guess they're still a/b testing this hijack shit and only deploy on some dc since its not countrywide problem. Many grab, foodpanda rider are furious and venting there lol

I bet the problem is really this dns hijack shenanigan, and their fix is to disable it. Come on other telco deploy countrywide, to both residential and business users, don't be scared just a/b testing, be down too today and tomorrow and see the outcome of this shenanigan.

My unifi still works with doh and dot even on popular dns provider. Currently 1 of my laptop is connected to cf dot to see when will it lose connection. Still haven't happened yet. I'm in east coast so nearest dc should be either kuantan or kota bharu. My guess is they still a/b testing this shit, might be enabled first on busy one like jb and kl hence why we heard multiple discrepancy report on what works and what doesn't. Weird tho if they start testing on busy dc, not on less congested one like here in east coast. Might aswell enable countrywide and see all hell break lose.

Thats one for the win! So no more testing period till end of the month and force enable on the 30th?

Yesterday intermittent downtime and sluggishness on some telco network do kicked some sense into them. Its like even the whole collective of malaysian telco doesn't have enough competent network admins to predict the whole shenanigan outcome, just yolo follow fahmi/mcmc directive. Baffled.

So you're posting here using self managed isp, registered under your own asn, bgp routed via a server under your own basement, connected via sea cables you laid youself? Participating in modern internet do need some trust somewhere. And some people do trust a party more than other party, ie in this case local isp vs the intermediatary google, cloudflare, adguard etc. And its not blind trust, we encrypt.

What a tool.

What are you doing here then, being a captain obvious is fun?