Wednesday, 19 August 2009

DNS Hijacking, filtering and OpenDNS

With witless clowns like Senator Stephen Conroy pushing for draconian mandatory net filtering these days smart people should consider using a service such as OpenDNS rather than the DNS service provided by their ISP.

Simply put 208.67.222.222 and 208.67.220.220 in your /etc/hosts file and you are good to go.

However you should note that OpenDNS use "services" such as redirecting "domain not found" errors to a search page to fund their operations rather than letting your browser display the appropriate error as it should do. This also effects things such as ping. If I ping a domain name that does not exist I should get a response "unknown host", whereas with OpenDNS it will resolve to the OpenDNS page and the ping will receive a reply as if the nonexistent domain actually exists.

Even if you don't use OpenDNS, more and more ISP's these days have also taken to hijacking invalid domain requests and sending the standard "domain not found" error to their own (partner) advertisment pages.

There are a few ways to mitigate this behaviour. The easiest is to put the following line in your /etc/hosts file
127.0.0.1 hit-nxdomain.opendns.com

This will cause the redirection to go to your locahost adaptor. If you are running a service (ie web server) on port 80 then it will resolve to its default page and it won't solve the successful ping to bogus domain problem described above. This is a less than perfect solution.

The best solution is to use dnsmasq on your gateway. Dnsmasq is a combined DHCP and DNS server and is easy to set up.

Once you have it set up, simply put the ipaddress that is returned from a bogus ping into your /etc/dnsmasq.conf file. In my case I have;
bogus-nxdomain=208.67.216.132
bogus-nxdomain=208.67.219.132

and normal service will be resumed!

No comments: