Skip to content

Instantly share code, notes, and snippets.

@cjp
Last active February 22, 2022 20:41
Show Gist options
  • Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
T-Mobile NXDOMAIN hijacking

Confirmed, T-Mobile hijacks DNS.

I am testing from my laptop tethered to a stock T-Mobile Note 3. Lookup of my IP address:

$ curl http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 172.56.20.69</body></html>
$ /usr/bin/whois 172.56.20.69 | grep OrgName
OrgName:        T-Mobile USA, Inc.

8.8.8.8 is Google's Public DNS. 0x1.net is a domain I control. The hosts checked are non-existent.

$ dig @8.8.8.8 foo.bar.baz.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 foo.bar.baz.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.baz.0x1.net.		IN	A

;; ANSWER SECTION:
foo.bar.baz.0x1.net.	0	IN	A	198.105.244.104
foo.bar.baz.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 28 13:58:34 2014
;; MSG SIZE  rcvd: 69

4.2.2.2 is Level(3)'s public DNS.

$ dig @4.2.2.2 foo.baz.bar.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @4.2.2.2 foo.baz.bar.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.baz.bar.0x1.net.		IN	A

;; ANSWER SECTION:
foo.baz.bar.0x1.net.	0	IN	A	198.105.244.104
foo.baz.bar.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Sep 28 13:58:58 2014
;; MSG SIZE  rcvd: 69
@cheald
Copy link

cheald commented Sep 28, 2014

This isn't the hotspot - I can confirm this using nslookup foo.baz.bar.0x1.net 8.8.8.8 directly on the phone via ConnectBot.

@elidickinson
Copy link

Wanna see something really weird? It looks like they're rewriting DNS for only very specific set of servers:

$ nslookup bogus.fake.esd.io 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Name: bogus.fake.esd.io
Address: 198.105.254.104
Name: bogus.fake.esd.io
Address: 198.105.244.104

But using Google's secondary DNS:

$ nslookup bogus.fake.esd.io 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find bogus.fake.esd.io: NXDOMAIN

@elidickinson
Copy link

Likewise, 4.2.2.2 gets bogus answers, but 4.2.2.1 seems ok...

@elidickinson
Copy link

I wrote this up and sent a link to T-Mobile. Hopefully I get a response. http://esd.io/blog/t-mobile-dns-hijack.html

@alpharesearch
Copy link

I had a one hour long phone call yesterday with T-Mobile and I did talk to 3 different employees about the issue and since this morning it is resolved for me:

$ nslookup bogus.fake.esd.io 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 4.2.2.2
Server: 4.2.2.2
Address: 4.2.2.2#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find bogus.fake.esd.io: NXDOMAIN

Btw, I did reference http://support.t-mobile.com/thread/81374 and ask the T-Mobile people to comment on the formum.

@mykohsu
Copy link

mykohsu commented Mar 12, 2015

I am having the exact same problem. It's even worse because our IT department blocks T-Mobile's landing page.

Copy link

ghost commented Oct 24, 2021

I'm on t-mobile's new home internet service and its dns still returns these addresses on nxdomains, however it appears they're defunct now as no web server responds on those addresses. Other dns servers aren't intercepted though.

I did have a really strange issue a while ago where any dns server that wasn't 8.8.8.8 or isp's dns was extremely slow or unresponsive. But it appears to be fine now.

@cjp
Copy link
Author

cjp commented Oct 24, 2021

@ledlamp, all bets are off when using the carrier's DNS servers; I think it is safe to assume that most carriers these days, absent some regulation, do all sorts of nonsense with their DNS servers.

The issue described here was T-Mobile rewriting DNS responses from DNS servers they do not control.

In either case, using DNS-over-HTTPS or DNS-over-TLS to a server that supports these protocols will resolve this issue. An example public DNS provider that supports this is Quad9; see their guide. (Note, this is not an endorsement of Quad9, just an example. Be sure to understand the impact of using a third-party DNS service provider.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment