Time and Maxis started to hijack dns query

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

Time and Maxis started to hijack dns query

views

haya	Aug 13 2024, 10:24 AM Return to original view \| IPv6 \| Post #1
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(kwss @ Aug 10 2024, 02:31 AM) I play a bit with Celcom's implementation. Basically they catch all UDP port 53 on IPv4 and IPv6 Test with fc00:: which is a non-routable local address CODE dig @fc00:: pornhub.com ; <<>> DiG 9.18.28 <<>> @fc00:: pornhub.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29836 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;pornhub.com. IN A ;; ANSWER SECTION: pornhub.com. 3600 IN A 175.139.142.25 ;; Query time: 37 msec ;; SERVER: fc00::#53(fc00::) (UDP) ;; WHEN: Sat Aug 10 02:16:04 +08 2024 ;; MSG SIZE rcvd: 56 Test with 10.10.10.10 which is also non-routable: CODE dig @10.10.10.10 pornhub.com ; <<>> DiG 9.18.28 <<>> @10.10.10.10 pornhub.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28827 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;pornhub.com. IN A ;; ANSWER SECTION: pornhub.com. 3600 IN A 175.139.142.25 ;; Query time: 44 msec ;; SERVER: 10.10.10.10#53(10.10.10.10) (UDP) ;; WHEN: Sat Aug 10 02:16:19 +08 2024 ;; MSG SIZE rcvd: 56 Using non-routable IPv6 address but with TCP: CODE dig @fc00:: pornhub.com +tcp ;; Connection to fc00::#53(fc00::) for pornhub.com failed: host unreachable. ;; no servers could be reached ;; Connection to fc00::#53(fc00::) for pornhub.com failed: host unreachable. ;; no servers could be reached ;; Connection to fc00::#53(fc00::) for pornhub.com failed: host unreachable. ;; no servers could be reached Using non-routable IPv4 address but with TCP: CODE dig @10.10.10.10 pornhub.com +tcp ;; Connection to 10.10.10.10#53(10.10.10.10) for pornhub.com failed: timed out. ;; no servers could be reached ;; Connection to 10.10.10.10#53(10.10.10.10) for pornhub.com failed: timed out. ;; no servers could be reached ;; Connection to 10.10.10.10#53(10.10.10.10) for pornhub.com failed: timed out. ;; no servers could be reached This means that using TCP should work, even if it is plain text. Yes it does! CODE dig @1.1.1.1 pornhub.com +tcp ; <<>> DiG 9.18.28 <<>> @1.1.1.1 pornhub.com +tcp ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48352 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;pornhub.com. IN A ;; ANSWER SECTION: pornhub.com. 14400 IN A 66.254.114.41 ;; Query time: 69 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) (TCP) ;; WHEN: Sat Aug 10 02:20:20 +08 2024 ;; MSG SIZE rcvd: 56 However, I found that they block by IP address too for pornhub.com and xvideos.com. murrayhunter.substack.com didn't have their IP blocked so it is not quite consistent. Reason is murrayhunter.substack.com uses Cloudflare CDN. They cannot block the CDN without blocking everyone else. Interesting that Celcom(Digi) is now hijacking all DNS53. What about things like Quad9dns? If Quad9dns blocks a malicious domain, and Celcom(Digi) is now hijacking all DNS53 packets to them, will Celcom(Digi) resolve the domain blocked by Quad9dns?
Card PM	Report Top Like Quote Reply

haya	Aug 13 2024, 05:19 PM Return to original view \| IPv6 \| Post #2
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(kwss @ Aug 13 2024, 04:53 PM) From my testing with Celcom (AS10030), all DNS is hijacked, including microsoft.com, lowyat.net, etc. They all resolved via some non-routable IP address. So something like: CODE googie-anaiytics.com Which is blocked by Quad9: CODE ; <<>> DiG 9 <<>> @9.9.9.9 googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37724 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; Query time: 10 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Tue Aug 13 09:19:15 2024 ;; MSG SIZE rcvd: 38 But resolveable: CODE ; <<>> DiG 9 <<>> @localhost googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5580 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; ANSWER SECTION: googie-anaiytics.com. 600 IN A 3.33.130.190 googie-anaiytics.com. 600 IN A 15.197.148.33 ;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 13 09:16:24 2024 ;; MSG SIZE rcvd: 70 With AS10030 hijacking all DNS53 packets, does it resolve googie-anaiytics.com, if the DNS query is pointed to 9.9.9.9
Card PM	Report Top Like Quote Reply

haya	Aug 15 2024, 08:24 AM Return to original view \| IPv6 \| Post #3
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	Firstly, thanks to kwss and ChenKaiWen for their inputs QUOTE(kwss @ Aug 13 2024, 11:42 PM) » Click to show Spoiler - click again to hide... « It is hijacked. CODE dig @9.9.9.9 googie-anaiytics.com ; <<>> DiG 9.18.28 <<>> @9.9.9.9 googie-anaiytics.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 736 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; ANSWER SECTION: googie-anaiytics.com. 600 IN A 15.197.148.33 googie-anaiytics.com. 600 IN A 3.33.130.190 ;; Query time: 405 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Tue Aug 13 23:39:48 +08 2024 ;; MSG SIZE rcvd: 81 Using the TXT query test method: CODE $ dig +short txt proto.on.quad9.net @9.9.9.9 (no output) $dig +short txt proto.on.quad9.net @9.9.9.9 +tcp do53-tcp. $ dig +short txt proto.on.quad9.net @9.9.9.9 +tls dot. $ dig +short txt proto.on.quad9.net @9.9.9.9 +https=/dns-query doh. $ dig +short ch txt id.server. @9.9.9.9 (no output) $ dig +short ch txt id.server. @9.9.9.9 +tcp "res100.kul.rrdns.pch.net" $ dig +short ch txt id.server. @9.9.9.9 +tls "res100.kul.rrdns.pch.net" $ dig +short ch txt id.server. @9.9.9.9 +https=/dns-query "res100.kul.rrdns.pch.net" Using traceroute, you can see !X (communication administratively prohibited) CODE $ traceroute 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 1.218 ms 1.478 ms 1.730 ms 2 * * * 3 10.223.95.65 (10.223.95.65) 72.996 ms 72.976 ms 72.966 ms 4 10.223.39.171 (10.223.39.171) 60.468 ms 10.223.39.163 (10.223.39.163) 60.453 ms 60.436 ms 5 203.82.65.113 (203.82.65.113) 72.887 ms 72.879 ms 72.944 ms 6 203.82.83.217 (203.82.83.217) 89.017 ms 203.82.83.219 (203.82.83.219) 66.107 ms 162.729 ms 7 203.82.83.34 (203.82.83.34) 199.869 ms 193.638 ms 203.82.83.32 (203.82.83.32) 199.943 ms 8 pch.myix.my (218.100.44.20) 193.591 ms 193.449 ms 193.421 ms 9 dns9.quad9.net (9.9.9.9) 193.383 ms !X 193.319 ms !X 193.282 ms !X Let's see where they start redirecting UDP 53. Looks like the very first hop: CODE # traceroute -U -p53 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 2.118 ms 2.572 ms 2.818 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * dns9.quad9.net (9.9.9.9) 72.977 ms * # traceroute -T -p53 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 4.822 ms 5.259 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * 203.82.83.219 (203.82.83.219) 54.024 ms 203.82.83.217 (203.82.83.217) 39.621 ms 7 203.82.83.34 (203.82.83.34) 59.608 ms 203.82.83.32 (203.82.83.32) 59.631 ms 59.565 ms 8 pch.myix.my (218.100.44.20) 59.553 ms 59.537 ms 59.524 ms 9 dns9.quad9.net (9.9.9.9) 65.218 ms 65.206 ms 65.193 ms # traceroute -T -p443 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 1.799 ms 1.763 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * dns9.quad9.net (9.9.9.9) 65.581 ms 65.325 ms TCP port 53 and TCP port 443 have vastly different hop count. This needs further investigation. I have done a packet capture. Looks like it is man-on-the-side attack? This is what I was afraid off. People who are using alternative DNS providers like Quad9 for protection, their DNS53 queries are being hijacked. Stuff that Quad9 are DNS blackholing will be resolved by the MCMC DNS server hijacking DNS53 packets. Sure can say that people should move to DoT/DoH, but for who use Quad9 DNS as a first layer of protection on their family members home router, this is terrible. QUOTE(ChenKaiWen @ Aug 14 2024, 06:41 AM) » Click to show Spoiler - click again to hide... « CODE dig @9.9.9.9 googie-anaiytics.com ; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @9.9.9.9 googie-anaiytics.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32048 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; Query time: 8 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Wed Aug 14 06:38:40 +08 2024 ;; MSG SIZE rcvd: 49 CODE traceroute 9.9.9.9��traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 router.lan (10.0.0.1) 0.707 ms 0.358 ms 0.319 ms 2 161.142.48.1 (161.142.48.1) 2.730 ms 2.643 ms 2.840 ms 3 * * * 4 223.28.43.70 (223.28.43.70) 6.111 ms 5.912 ms 5.746 ms 5 pch.myix.my (218.100.44.20) 7.252 ms 7.214 ms 7.310 ms 6 dns9.quad9.net (9.9.9.9) 7.389 ms !X 8.056 ms !X 7.769 ms !X Unable to resolve that domain but traceroute shows !X Interesting that TIME (AS9930) is not hijacking all DNS53 packets at least? Given that it is a AUTHORITY: 0 reply, suggests that it is blocked by Quad9, instead of non-existent domain, with the NXDOMAIN response: https://docs.quad9.net/FAQs/ Thus it looks like DNS53 packets to Quad9 DNS are still being untampered with (for now?)
Card PM	Report Top Like Quote Reply

haya	Aug 15 2024, 08:29 AM Return to original view \| IPv6 \| Post #4
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(PRSXFENG @ Aug 13 2024, 08:14 PM) I noticed that TM and TIME don't send to Quad9 KUL, and route to SIN which has a slightly higher latency Now, TM refuses to peer with them But TIME is supposed to when I asked Quad9 Quad9 said they'll check with TIME so, seems like TIME fixed that, and you get lower latency https://forum.lowyat.net/index.php?showtopi...ost&p=110240779 It has always bugged me that AS4788 would rather send AS42 bound packets to Singapore/international transit rather than use it on MyIX. At least now I have a explanation, but man it goes back to the "good old days" when packets between ISP's/ASN's would go around the world because AS4788 refused to peer with, well, anyone.
Card PM	Report Top Like Quote Reply

haya	Aug 15 2024, 08:43 AM Return to original view \| IPv6 \| Post #5
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(PRSXFENG @ Aug 15 2024, 08:37 AM) For your reference, the answer was shared by them here https://www.reddit.com/r/Quad9/comments/13e...comment/jjpx60w Yes, I linked to the Reddit thread response in the other thread PRSXFENG liked this post
Card PM	Report Top Like Quote Reply

haya	Aug 15 2024, 08:52 AM Return to original view \| IPv6 \| Post #6
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(PRSXFENG @ Aug 15 2024, 08:45 AM) From what I observed over the years TIME's DNS Hijacking appears to be on the router side The old WiFi 5 combo ONT, HG8145V5 has DNS settings greyed out in the router, and hijacks port 53 I've heard you can get TIME CS to remotely change to a DNS provider of your choosing but don't quote me on that The rest of their devices, don't seem to hijack in my experience QUOTE(sadlyfalways @ Aug 15 2024, 08:47 AM) maxis router also same thing. it is why it is in the dustbin That's why people have the option to use their own/buy their own router. ISP's locking down routers is not limited to Malaysian ISP's: plenty of cases in other countries if Reddit posts are any indication. What is problematic is hijacking DNS53 at the network level. Ie. What Celcom(Digi) seems to be doing. (And what Indonesia is doing) Using own router (notwithstanding DoT/DoH) for alternate DNS providers will fail when the ISP hijacks DNS53 at their network level/side. The MSC Bill of Guarantees died with the Najib administration. emy_xvidia and PRSXFENG liked this post
Card PM	Report Top Like Quote Reply

haya	Aug 16 2024, 07:17 AM Return to original view \| IPv6 \| Post #7
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(axxer @ Aug 16 2024, 05:37 AM) No lol. While dot is trivial to block since it uses the port 853 that literally only it use, doh use port 443. Might aswell block the entire net by blocking port 443. They can still block the endpoint, blocking the popular doh server endpoint from resolving but then ppl will just spawn their own private endpoint with own custom domain. I've been selfhosting my own private endpoint via adguardhome for a few years already. Until they decide to (BGP) blackhole entire swaths of platforms. That's what (some ISP's in) Indonesia does. Eg. Reddit is blocked in Indonesia. Even if you can resolve the correct IP address for Reddit, they will block all connection attempts to Reddit's IP addresses. Sure you can say VPN. But it isn't too long when the next step is China, where they will block most commercial VPN providers, detect OpenVPN/WireGuard/KEv2/IPsec/L2TP/IPsec/PPTP protocols to hunt down who are using VPN's. No need to compare Malaysia with the China GFW: if Indonesia can do it, what is to say Malaysia can't? PRSXFENG liked this post
Card PM	Report Top Like Quote Reply

haya	Aug 16 2024, 11:42 AM Return to original view \| IPv6 \| Post #8
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(axxer @ Aug 16 2024, 11:30 AM) No other country will deploy china gwf if thats your concern. That thing gobbled up $$ to maintain which my doesn't have. Even indo block is still kids play to evade. Hell theres a dedicated ppl still playing cat and mouse game with china gwf till this day with vray, xray etc. It doesn't have to be China level GFW, but there is a lot that can happen between DNS53 hijacking and GFW for internet censorship. Its a slippery slope. And most people don't know the technical details. Once MCMC blocked The Malaysia Insider their traffic dried up and it died from lack of ad revenue (amongst other reasons). Similar thing happened with MalaysiaNow. Despite the fact it is easily circumvented by changing the DNS server query IP address. Don't expect people to understand Doh/DoT, much less roll their own DNS server for USD $0.60 per month.
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

Add Reply Options

Change to:

0.0215sec

0.65

7 queries

GZIP Disabled
Time is now: 10th December 2025 - 07:40 AM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.