Skip to content

Instantly share code, notes, and snippets.

@cjp

cjp/gist:f4dda3cc0f26ad10a3fe

Last active February 22, 2022 20:41
Show Gist options
  • Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
Download ZIP
T-Mobile NXDOMAIN hijacking
Raw
gistfile1.md

Confirmed, T-Mobile hijacks DNS.

I am testing from my laptop tethered to a stock T-Mobile Note 3. Lookup of my IP address:

$ curl http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 172.56.20.69</body></html>
$ /usr/bin/whois 172.56.20.69 | grep OrgName
OrgName:        T-Mobile USA, Inc.

8.8.8.8 is Google's Public DNS. 0x1.net is a domain I control. The hosts checked are non-existent.

$ dig @8.8.8.8 foo.bar.baz.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 foo.bar.baz.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.baz.0x1.net.		IN	A

;; ANSWER SECTION:
foo.bar.baz.0x1.net.	0	IN	A	198.105.244.104
foo.bar.baz.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 28 13:58:34 2014
;; MSG SIZE  rcvd: 69

4.2.2.2 is Level(3)'s public DNS.

$ dig @4.2.2.2 foo.baz.bar.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @4.2.2.2 foo.baz.bar.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.baz.bar.0x1.net.		IN	A

;; ANSWER SECTION:
foo.baz.bar.0x1.net.	0	IN	A	198.105.244.104
foo.baz.bar.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Sep 28 13:58:58 2014
;; MSG SIZE  rcvd: 69
Copy link

ghost commented Oct 24, 2021

I'm on t-mobile's new home internet service and its dns still returns these addresses on nxdomains, however it appears they're defunct now as no web server responds on those addresses. Other dns servers aren't intercepted though.

I did have a really strange issue a while ago where any dns server that wasn't 8.8.8.8 or isp's dns was extremely slow or unresponsive. But it appears to be fine now.

@cjp
Copy link
Author

cjp commented Oct 24, 2021

@ledlamp, all bets are off when using the carrier's DNS servers; I think it is safe to assume that most carriers these days, absent some regulation, do all sorts of nonsense with their DNS servers.

The issue described here was T-Mobile rewriting DNS responses from DNS servers they do not control.

In either case, using DNS-over-HTTPS or DNS-over-TLS to a server that supports these protocols will resolve this issue. An example public DNS provider that supports this is Quad9; see their guide. (Note, this is not an endorsement of Quad9, just an example. Be sure to understand the impact of using a third-party DNS service provider.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment