T-Mobile NXDOMAIN hijacking

gistfile1.md

Confirmed, T-Mobile hijacks DNS.

I am testing from my laptop tethered to a stock T-Mobile Note 3. Lookup of my IP address:

$ curl http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 172.56.20.69</body></html>
$ /usr/bin/whois 172.56.20.69 | grep OrgName
OrgName:        T-Mobile USA, Inc.

8.8.8.8 is Google's Public DNS. 0x1.net is a domain I control. The hosts checked are non-existent.

$ dig @8.8.8.8 foo.bar.baz.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 foo.bar.baz.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.baz.0x1.net.		IN	A

;; ANSWER SECTION:
foo.bar.baz.0x1.net.	0	IN	A	198.105.244.104
foo.bar.baz.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 28 13:58:34 2014
;; MSG SIZE  rcvd: 69

4.2.2.2 is Level(3)'s public DNS.

$ dig @4.2.2.2 foo.baz.bar.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @4.2.2.2 foo.baz.bar.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.baz.bar.0x1.net.		IN	A

;; ANSWER SECTION:
foo.baz.bar.0x1.net.	0	IN	A	198.105.244.104
foo.baz.bar.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Sep 28 13:58:58 2014
;; MSG SIZE  rcvd: 69

I had a one hour long phone call yesterday with T-Mobile and I did talk to 3 different employees about the issue and since this morning it is resolved for me:

$ nslookup bogus.fake.esd.io 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 4.2.2.2
Server: 4.2.2.2
Address: 4.2.2.2#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

** server can't find bogus.fake.esd.io: NXDOMAIN

$ nslookup bogus.fake.esd.io 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find bogus.fake.esd.io: NXDOMAIN

Btw, I did reference http://support.t-mobile.com/thread/81374 and ask the T-Mobile people to comment on the formum.

I am having the exact same problem. It's even worse because our IT department blocks T-Mobile's landing page.

I'm on t-mobile's new home internet service and its dns still returns these addresses on nxdomains, however it appears they're defunct now as no web server responds on those addresses. Other dns servers aren't intercepted though.

I did have a really strange issue a while ago where any dns server that wasn't 8.8.8.8 or isp's dns was extremely slow or unresponsive. But it appears to be fine now.

@ledlamp, all bets are off when using the carrier's DNS servers; I think it is safe to assume that most carriers these days, absent some regulation, do all sorts of nonsense with their DNS servers.

The issue described here was T-Mobile rewriting DNS responses from DNS servers they do not control.

In either case, using DNS-over-HTTPS or DNS-over-TLS to a server that supports these protocols will resolve this issue. An example public DNS provider that supports this is Quad9; see their guide. (Note, this is not an endorsement of Quad9, just an example. Be sure to understand the impact of using a third-party DNS service provider.)