-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, i recently do some maintenance on a website called ipleak.net. I added a json/api feature, and i think can be useful in a OONI probe to detect DNS spoofing/injection.
For example, fetch this: (change the third-level domain to a random hash ):
https://a_long_random_hash_for_every_request.ipleak.net?mode=json
The domain are resolved by ISP, they DNS query ask the resolution of the random domain to our authoritative server, our server collect the IP address of the latest ISP DNS that request the domain and report it in the http response.
Note that if the ISP have more DNS server (load-balancing), doing multiple requests (every with a new hash) can return many DNS IP.
For example, here in Italy doesn't matter if i try to use Google DNS 8.8.8.8, my ISP (Vodafone) always do a 'Transparent DNS', they capture any request over port 53 and redirect to their DNS. If a country do the same thing for censorship reason, you can detect it with this technique.
If this feature is interesting for OONI, feel free to use it on ipleak.net throught our API.
Otherwise, if you prefer to implement yourself, i'm here for free support. You need a domain with NS record that point to a server you control (dns authoritative), a bind9, a named-pipe between bind9 and a script, and a wildcard SSL certificate if you want all under SSL.
Ciao! Clodo
On Jul 14, 2015, at 3:59 PM, Clodo clodo@clodo.it wrote:
Signed PGP part Hi, i recently do some maintenance on a website called ipleak.net. I added a json/api feature, and i think can be useful in a OONI probe to detect DNS spoofing/injection.
For example, fetch this: (change the third-level domain to a random hash ):
https://a_long_random_hash_for_every_request.ipleak.net?mode=json
The domain are resolved by ISP, they DNS query ask the resolution of the random domain to our authoritative server, our server collect the IP address of the latest ISP DNS that request the domain and report it in the http response.
Note that if the ISP have more DNS server (load-balancing), doing multiple requests (every with a new hash) can return many DNS IP.
Oh this is indeed a very useful service and we were actually considering setting up something similar as an OONI test helper using DNS as a transport.
The server side code is very minimal and simple:
https://github.com/TheTorProject/ooni-backend/blob/master/oonib/testhelpers/...
For example, here in Italy doesn't matter if i try to use Google DNS 8.8.8.8, my ISP (Vodafone) always do a 'Transparent DNS', they capture any request over port 53 and redirect to their DNS. If a country do the same thing for censorship reason, you can detect it with this technique.
If this feature is interesting for OONI, feel free to use it on ipleak.net throught our API.
We will consider using this as a service in the OONI DNS consistency test or perhaps even by default in all the tests we run that do DNS resolution (even the http_requests one).
Otherwise, if you prefer to implement yourself, i'm here for free support. You need a domain with NS record that point to a server you control (dns authoritative), a bind9, a named-pipe between bind9 and a script, and a wildcard SSL certificate if you want all under SSL.
Is the code for your service available somewhere?
What database are you using to do the reverse lookup?
~ Arturo
-
Arturo Filastò -
Clodo