DNS Hijack by my ISP and that includes fake HTTPS certificates

about 30% of my internet traffic is being hijacked by my ISP because they spoof DNS results from Googles DNS servers on 8.8.8.8 UDP port 53 by inspecting network packets and then intercepting and faking the reply.

thevpn.guru...

DNS Hijacking is essentially when your ISP “Internet Service Provider” does redirect your DNS traffic to it’s own DNS servers and does DNS resolution without your consent or knowledge. This is actually quite common and normally users dont even have a clue. In this article I am going to explain how to detect DNS hijacking and how to protect yourself.

This is not something I have opted into by choosing to use the default DNS server provide by to me by my ISP and I can even understand why they would intercept youtube videos or images from ebay in order to increase performance for users and to reduce upstream bandwidth costs but they are even intercepting requests to domains that no one has ever heard of.

In my case I have found that when I do a reverse DNS lookup on the IP address the ISP also intercept that too and return an empty result and yet when I use a VPN to Google the DNS reverse lookups work just fine.

What they are not blocking is port 43 that I use to perform a Whois lookup on the IP-Address and the results from the Whois point back to my ISP so if it is legal for my ISP to hijack DNS results then it must be legal for everyone.

Big deal you say because we all know they are watching us but they are also doing the same trick on HTTPS pages on port 443 and the only way they can do this is to perform a man in the middle intercept on the SSL certificates being sent back to the client browser that then gets validated using a root authority server certificate.

Google seems to be making sure that this type of news is hidden on page ten of search results but too me it says that HTTPS is being intercepted and read all the time without the use of brute force by our ISPs and every IT professional should be aware of the consequences.

I don't sit around running DOS commands to do this and have Whois lookups built into my DNS server that also resolves IP-Address to country codes but the local cached Whois table that uses IP Ranges is only one meg in size and already it seems to cover 90% of all Whois requests because big names like "Amazon Technologies Inc" eat up ip-ranges as big as 20 million at a time which is bigger than some of the ranges assigned to a small country.

Akamal Technologies must be the biggest internet name in the world that most people have never heard about and make even Google and Microsoft look small who both use for services.

There are a number of highjacking virusses found in the wild at the moment.

By your description you should look at a possibility for a virus rather than your ISP being the culprit.

try one (or both of the following)

go to www.malwarebytes.org... and download/run their trial solution.
go to housecall.trendmicro.com... and run their Housecall.

If these fails then you should run through the programs installed on your pc and remove those that you don't want. Those you don't recognize you should look up on the internet to see what they actually do, before you remove them.

And those you can't remove are very much in the pile of suspect programs. Investigate further.

Hope you find the culprit soon. And get it out of your system.

Having re-read your OP, I realize that some of your post doesn't really fit the bill for a highjacking virus.

"Faking certificates" and "faking replies" seems like a virus, but I must admit that some of your post would simply have prompted me to change ISP, if I could positively trace the fake results to them.

And to add a funni detail to this...
At this very moment the add at the top of my ATS page is an add with a warning that I have malware on my pc.

Why would ATS allow this type of advertising? They should know that it is a scam.

So I'm heeding my own advice and am now scanning my pc with housecall and malwarebytes.

a reply to: VirusGuard

Check for malware, trojans and rootkits.

www.bleepingcomputer.com...

I would go to Bleeping Computer Forums and ask for help there. Read the posting rules to know what to run before asking for help.

a reply to: VirusGuard


I have been really interested in DNS lately and I'm appreciative of your articles, thanks for sharing your adventures.

a reply to: VirusGuard

I had a feeling you were making up your story about your wifi being hacked yesterday. Now I'm pretty confident you are making these stories up.

I wouldn't deny that this kind of shady stuff exists and that ISPs are guilty of all sorts of snooping, but your particular account doesn't make sense.

If your ISP was trying to steal information (or monitor your activity) wouldn't it make more sense to just intercept the data that is already going through their servers instead of sending evidence directly back to your computer that you are being redirected?

Additionally, there are legitimate reasons for doing the latter. Imagine the benefits of sending all ISP subscribers who are using YouTube through a different router than those browsing text on Wikipedia.

As for the HTTPS thing, I'm not a security expert, but I'm fairly certain SSL would not allow you to pass encrypted data through multiple requests. Meaning, if your encrypted data is being intercepted, the end-server would not authenticate the middle man, as you put it. That doesn't mean the interceptor doesn't have some other method of decrypting your data.


Maybe if you provided evidence your claims like these would hold more value.

a reply to: HolgerTheDane2

Most ISPs are now doing this these days but it takes a bit of work to spot this unless you have software that does a Whois

No it is not a virus and these type of hijacks often send you to the wrong sites and you should not only look in start-up for unusual programs but also check schedule tasks from control panel because this is where many viruses get started from these days.

HolgerTheDane2

ATS rents out the space and this all gets sub-let in a fraction of a second and in some cases the advert you see goes to the winning bidder who happens to have a contact that knows you are looking to buy a car so they out bid "car insurance" to render the advert.

I am told that ATS scans these adverts to make sure they are safe but realy that is impossible given that you often have frames within frames within frames

a reply to: Bybyots

Well thank you

a reply to: grey580

Check for malware, trojans and rootkits.

The clue should be in my name !

I am not after help but am giving out a warning and could fix this in seconds by connecting to a VPN and then refreshing all cached ip-address in the DNS server that I run but once the VPN is closed then my ISP could still hijack request for a youtube video even with the correct IP address and i would not know.

Like it or not but you ISP is basicly a proxy server that you can only bypass if you use a VPN or somthing like Tor that encrypts the data first and the big isue is not so much the hijacking of DNS request but that they must be using fake SSL certificates to make HTTPS pages work that they are hosting.

in layman terms they are performing a man in the middle attack on a regular basis.

FYI a proxy server can read or change anything before sending or returning data that may or may not already be cached and that includes cookies but the deal with SSL certificates is that the certificate is registered to an IP-Address and if the IP don't match or you don't have a root certificate on your machine to validate the certificate then your browser will isue a warning or simply block the page.

I can hijack a dns lookup to make google.com resolve to 192.168.1.20 but if you are using HTTPS then a certificate must be used that says Google.com=192.168.1.20 which happens to be a lie.

A proxy server in the middle can relay information without caring about SSL certificates on your machine or the website but to host the site it must isue a certificate and if they isue the certificate then they can read everything sent.

originally posted by: VirusGuard
***snip***
I am told that ATS scans these adverts to make sure they are safe but realy that is impossible given that you often have frames within frames within frames

Yes I do see the problem here.
But after a rethink I believe that these particular adds are OK.
After all, if not on ATS, where should HOAX-advertising actually be?

a reply to: VirusGuard

Most ISPs are now doing this these days but it takes a bit of work to spot this unless you have software that does a Whois

Dont you mean tracert or traceroute? Whois just returns information on webistes.

originally posted by: PhoenixOD
Dont you mean tracert or traceroute? Whois just returns information on webistes.

TraceRT is a bit like ping but it times the ping to each hop in the route as it goes from your machine to the destination

Whois is a right mess with lots of servers for .net .com domains and five other main groups of servers for the rest of the internet and the data is not in a standard format.

Not all IPs are associated with websites but a Whois will give you details about who owns the address range, contact/abuse email address and geo-location, company, organisation.

Whois works on port 43 and the results are in plain text and are useful if your ISP are blocking reverse lookups because they have hijacked the DNS lookup. Whois can work with a domain name but in my case i use it to resolve IPs back to the owner and not the web-site

Not all microsoft doamins use the word "microsoft" but doing a Whois will let you know its them

a reply to: HolgerTheDane2

Little add servers trying to make a few bucks and sites trying to get a bit of revenue is not problem apart from trying to put a virus on your machine that then goes clicking on these adverts so that they can bill the end customer.

No the real problem is google/facebook/youtube/twitter/ebay/amazon/microsoft because these lot (All american, all NSA financed) work as a wolf pack and what one knows, they all know.

Supplying adverts is just an excuse to this lot of criminals and if you ever had a cookie from one of these $%GG^^&&& and loged into an hotmail type of account that had a unique ID for you in the URL at the top of the page then even if you delete your cookies they will know it is you the next time to login to the mail account and they see the same ID

Google is on 90% of sites and the script they run is over 5000 lines of code and uploads a profile from your browser that includes everything from screen size,user-agent, java version, browser version, timezone, script version, datetime, countrycode, accept type, and much more.

This profile will finger you even if you deleted your cookies and flash (spyware) objects and as soon as you vist your faviorate site then the profile becomes confilmed and this information is then relayed to other members of the wolf pack.

Given all this it is hard to stop them unless you corrupt the data before sending it back

a reply to: VirusGuard

TraceRT is a bit like ping but it times the ping to each hop in the route as it goes from your machine to the destination

Whois is a right mess with lots of servers for .net .com domains and five other main groups of servers for the rest of the internet and the data is not in a standard format.

So how does whois spot a DNS hijack? You can see if the traffic is routed through 8.8.8.8 with ping or tracert without having to do a whois.

originally posted by: PhoenixOD
So how does whois spot a DNS hijack? You can see if the traffic is routed through 8.8.8.8 with ping or tracert without having to do a whois.

The fact that you can ping an address does not mean that the ICMP packets has not been intercepted by your ISP and you could like you say run TraceRT to get a clue about your ISP intercepting pings but this is not what i am talking about.

When your browser needs to connect to Youtube.com a DNS request is sent off to say Google on 8.8.8.8:53 but the ISP can see that it is a UDP packet on port 53 and they then block the request to google DNS server and return a fake A-Record back to you with an address that point you to an IP-Address that is owned by your ISP

Next your browser sends a HTTP request to the fake addrress owned by you ISP containing youtube.com in the Url and the ISP can then service that request from a file cache which save them money on upstream bandwith and speeds up browsing for you.

Whois comes in because the ISP is also blocking reverse lookups on the fake Youtube.com address they sent back to you because they don't want you to know that they have intercepted your traffic but Whois on port 43 is not blocked/intercepted by the ISP and the name you get back for the IP-Adddess you thought should point to Youtube.com becomes the name of your ISP.

Google can also use its DNS server to load balance Youtube.com who they own and any requests made to Google from Asia would not get the same address as someone from Europe when Youtube would physicaly host servers in Asia so in other words never think that a domain name has a fixed address.

Youtube Asia and Youtube Europe own the SSL certificates and are free to do as they like but my ISP has no right to fake these certificates when they hijack my DNS lookup's and if they are doing this for Youtube.com then whos to say they are not doing it all the time.

You might ask well what if they only do this for regular HTTP traffic on port 80 and not SSL on port 443 ?

Well DNS servers don't know or care if a lookup is for HTTP or HTTPS and just return an address so now that the ISP has hijacked the request they have no option but to service that request else your browser would go bang and thats without getting in to what would happen to internet sessions if your ISP switches between its servers and Youtube.com

Next question would be well if its HTTPS traffic then why don't they just act as a relay like they are in anycase between you and Youtube.com ? Well SSL certificates contain a domain name and an IP address so they no longer have this option.

Our internet is held togeather by sticky tape as it is without our ISPs playing silly games