abusive_isps

This is an old revision of the document!


Abusive ISPs

These are Internet Service Providers that have been found to tamper with your DNS (or OpenNIC related) traffic, do note that this list is only for previously mentioned abuse, nothing else.

Some abusive ISPs will intercept DNS traffic on port 53 and return results from their own servers instead. This makes access to alternative TLDs difficult, and is a privacy concern as it allows the ISPs to carry out more detailed logging of the domains you resolve.

Some OpenNIC DNS servers also listen on an alternative port (generally 5353) which is less likely to be tampered with by ISPs.

To test if an ISP is tampering with DNS traffic, you can use the dig command from the dnsutils package. Select a server from the Tier 2 page which supports an alternative port. In my example I have used 106.186.17.181. First, try querying for the root zone (.) on the default port:

dig SOA . @106.186.17.181
...
.	58346	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2015080300 1800 900 604800 86400

You can see from the returned SOA above that the DNS request has been hijacked by the ISP as a.root-servers.net is not an OpenNIC DNS server. If the SOA you get looks more like the one below, then your ISP is probably not hijacking your DNS requests.

Now try again on the alternative port:

dig SOA . @106.186.17.181 -p 5353
...
.	86319	IN	SOA	ns0.opennic.glue. hostmaster.opennic.glue. 2015080301 1800 900 604800 3600

You can see that the SOA returned is OpenNIC's, meaning no hijacking has taken place on the alternative port. If this result differs from the previous result or the first result times out with connection timed out; no servers could be reached, then your ISP is likely to be hijacking DNS.

Please refer to the answer of this question to use iptables to reroute your DNS traffic to an alternative port on an OpenNIC server. Remember to change the server's IP address.

You could also contact your ISP to complain about their use of DNS hijacking.

This list is very incomplete. If you are certain that your ISP is hijacking DNS or is involved in other questionable practices, please add it below.

Country ISP Reported Source 53/udp DPI Level Notes
Taiwan HiNet 2019-01-16 fusl yes blocking of selective domains Returns NXDOMAIN for some very specific domains
Austria 3 / drei.at 2018-01-28 fusl no NXDOMAIN search engine redir NXDOMAIN redirect to 213.94.80.190, proof
- Vultr/Choopa 2017-11-03 fusl yes blocking of selective domains DPI on UDP/53, blocks any DNS request containing the text minexmr.com. in the query name (proof)
United States CenturyLink 2017-08-28 some user on #opennic no NXDOMAIN search engine redir Reproduced by fusl - NXDOOMAIN redirect to 198.105.244.23 and 198.105.245.23 which redirects to http://webhelper.centurylink.com/index.php?origURL=opennic&r=&bc=
Peru Bitel 2017-06-23 Tedel on #opennic ? ? IRC conversation log
United States AT&T 2017-03-27 news no NXDOMAIN search engine redir http://www.att.net/dnserrorassist/about/ (screenshot), https://forums.att.com/t5/AT-T-Internet-Features/ATT-DNS-Assist-Page/td-p/5108480 (screenshot)
United States T-Mobile US 2015-07-20 thefinn93 on reddit no NXDOMAIN search engine redir https://www.reddit.com/r/tmobile/comments/3dyk1h/how_do_i_turn_of_nxdomain_hijacking/
United States Sprint 2014-09-05 sanityvampire on reddit no NXDOMAIN search engine redir https://www.reddit.com/r/Sprint/comments/2fl6pk/are_sprint_3g_and_4g_towers_hijacking_nxdomain/
United States CenturyLink 2011-12-21 DSLReports Forums user no NXDOMAIN search engine redir other report
Spain ONO 2010-05-10 blog post no NXDOMAIN search engine redir Allowed cross-site-scripting attacks, http://www.iniqua.com/2010/05/10/nxdomain-redirect-xss/
Australia Telstra 2009-11-20 news, CRN Australia no NXDOMAIN search engine redir news article
United States RCN 2009-10-13 blog post no NXDOMAIN search engine redir https://infiniteedge.blogspot.com/2009/10/who-stole-my-web-browser.html
United States Mediacom 2009-09-25 YourName on reddit no redirection of selective domains Redirects search.live.com to own search engine, https://web.archive.org/web/20100303205850/http://www.reddit.com:80/r/programming/comments/9o3as/want_a_real_world_example_of_why_we_need_network
Canada Bell Internet 2009-08-04 timothy on Slashdot no NXDOMAIN search engine redir https://tech.slashdot.org/story/09/08/04/1512248/Bell-Starts-Hijacking-NX-Domain-Queries
United States Comcast 2009-07-28 news no NXDOMAIN search engine redir http://www.theregister.co.uk/2009/07/28/comcast_dns_hijacker/, disabled in August 2009
Germany T-Online 2009-04-09 - no NXDOMAIN search engine redir https://telekomhilft.telekom.de/t5/Browser/Neues-Leistungsmerkmal-Navigationshilfe/m-p/568909#M1622
United States Optimum Online 2008-09-25 - no NXDOMAIN search engine redir Optimum Online - DNS Assistance
Canada Rogers 2008-07-20 news no HTML ad content injection http://www.dslreports.com/shownews/Rogers-Uses-Deep-Packet-Inspection-for-DNS-Redirection-96239
Australia Telstra 2008-03-15 blog post no wildcard dns redirection https://archive.is/20101210140523/http://jeffturner.net/2008/03/road-runner-dns-hijack-causing-slow-web-pages/
United States Verizon 2007-06-21 - no NXDOMAIN search engine redir https://www.verizon.com/support/residential/internet/home-network/settings/opt-out-of-dns-assist
United Kingdom TalkTalk FIXME - no NXDOMAIN search engine redir http://error.talktalk.co.uk/main?FailureMode=14&LinkType=1
  • /wiki/data/attic/abusive_isps.1547606507.txt.gz
  • Last modified: 23 months ago
  • by fusl