Skip to content

Instantly share code, notes, and snippets.

@cjp

cjp/gist:f4dda3cc0f26ad10a3fe

Last active February 22, 2022 20:41
Show Gist options
  • Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
Save cjp/f4dda3cc0f26ad10a3fe to your computer and use it in GitHub Desktop.
Download ZIP
T-Mobile NXDOMAIN hijacking
Raw
gistfile1.md

Confirmed, T-Mobile hijacks DNS.

I am testing from my laptop tethered to a stock T-Mobile Note 3. Lookup of my IP address:

$ curl http://checkip.dyndns.org
<html><head><title>Current IP Check</title></head><body>Current IP Address: 172.56.20.69</body></html>
$ /usr/bin/whois 172.56.20.69 | grep OrgName
OrgName:        T-Mobile USA, Inc.

8.8.8.8 is Google's Public DNS. 0x1.net is a domain I control. The hosts checked are non-existent.

$ dig @8.8.8.8 foo.bar.baz.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 foo.bar.baz.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.baz.0x1.net.		IN	A

;; ANSWER SECTION:
foo.bar.baz.0x1.net.	0	IN	A	198.105.244.104
foo.bar.baz.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 28 13:58:34 2014
;; MSG SIZE  rcvd: 69

4.2.2.2 is Level(3)'s public DNS.

$ dig @4.2.2.2 foo.baz.bar.0x1.net

; <<>> DiG 9.8.3-P1 <<>> @4.2.2.2 foo.baz.bar.0x1.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9917
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.baz.bar.0x1.net.		IN	A

;; ANSWER SECTION:
foo.baz.bar.0x1.net.	0	IN	A	198.105.244.104
foo.baz.bar.0x1.net.	0	IN	A	198.105.254.104

;; Query time: 115 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Sun Sep 28 13:58:58 2014
;; MSG SIZE  rcvd: 69
@cjp
Copy link
Author

cjp commented Oct 24, 2021

@ledlamp, all bets are off when using the carrier's DNS servers; I think it is safe to assume that most carriers these days, absent some regulation, do all sorts of nonsense with their DNS servers.

The issue described here was T-Mobile rewriting DNS responses from DNS servers they do not control.

In either case, using DNS-over-HTTPS or DNS-over-TLS to a server that supports these protocols will resolve this issue. An example public DNS provider that supports this is Quad9; see their guide. (Note, this is not an endorsement of Quad9, just an example. Be sure to understand the impact of using a third-party DNS service provider.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment