Confirmed, T-Mobile hijacks DNS.
I am testing from my laptop tethered to a stock T-Mobile Note 3. Lookup of my IP address:
$ curl http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 172.56.20.69</body></html>
$ /usr/bin/whois 172.56.20.69 | grep OrgName
OrgName: T-Mobile USA, Inc.
8.8.8.8
is Google's Public DNS. 0x1.net
is a domain I control. The hosts checked are non-existent.
$ dig @8.8.8.8 foo.bar.baz.0x1.net
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 foo.bar.baz.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;foo.bar.baz.0x1.net. IN A
;; ANSWER SECTION:
foo.bar.baz.0x1.net. 0 IN A 198.105.244.104
foo.bar.baz.0x1.net. 0 IN A 198.105.254.104
;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 28 13:58:34 2014
;; MSG SIZE rcvd: 69
4.2.2.2
is Level(3)'s public DNS.
$ dig @4.2.2.2 foo.baz.bar.0x1.net
; <<>> DiG 9.8.3-P1 <<>> @4.2.2.2 foo.baz.bar.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;foo.baz.bar.0x1.net. IN A
;; ANSWER SECTION:
foo.baz.bar.0x1.net. 0 IN A 198.105.244.104
foo.baz.bar.0x1.net. 0 IN A 198.105.254.104
;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Sep 28 13:58:58 2014
;; MSG SIZE rcvd: 69
I'm wondering if this is a side-effect of the way Android does tethering. Somebody with a rooted device may be able to investigate further. I can't readily prove whether its the phone's hotspot or the upstream network that's rewriting the dns.
Apps like https://play.google.com/store/apps/details?id=com.ulfdittmer.android.ping seem to correctly display NXDOMAIN.