This is an old revision of the document!
Abusive ISPs
These are Internet Service Providers that have been found to tamper with your DNS (or OpenNIC related) traffic, do note that this list is only for previously mentioned abuse, nothing else.
Is my ISP intercepting DNS traffic?
Some abusive ISPs will intercept DNS traffic on port 53 and return results from their own servers instead. This makes access to alternative TLDs difficult, and is a privacy concern as it allows the ISPs to carry out more detailed logging of the domains you resolve.
Some OpenNIC DNS servers also listen on an alternative port (generally 5353) which is less likely to be tampered with by ISPs.
To test if an ISP is tampering with DNS traffic, you can use the dig command from the dnsutils package. Select a server from the Tier 2 page which supports an alternative port. In my example I have used 106.186.17.181. First, try querying for the root zone (.) on the default port:
dig SOA . @106.186.17.181 ... . 58346 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015080300 1800 900 604800 86400
You can see from the returned SOA above that the DNS request has been hijacked by the ISP as a.root-servers.net is not an OpenNIC DNS server. If the SOA you get looks more like the one below, then your ISP is probably not hijacking your DNS requests.
Now try again on the alternative port:
dig SOA . @106.186.17.181 -p 5353 ... . 86319 IN SOA ns0.opennic.glue. hostmaster.opennic.glue. 2015080301 1800 900 604800 3600
You can see that the SOA returned is OpenNIC's, meaning no hijacking has taken place on the alternative port. If this result differs from the previous result or the first result times out with connection timed out; no servers could be reached, then your ISP is likely to be hijacking DNS.
What can I do about it?
Please refer to the answer of this question to use iptables to reroute your DNS traffic to an alternative port on an OpenNIC server. Remember to change the server's IP address.
You could also contact your ISP to complain about their use of DNS hijacking.
Abusive ISP List
This list is very incomplete. If you are certain that your ISP is hijacking DNS or is involved in other questionable practices, please add it below.
| Country | ISP | Reported | Source | DPI | Level | Notes |
|---|---|---|---|---|---|---|
| Taiwan | HiNet | 2019-01-16 | fusl | no | blocking of selective domains | Returns NXDOMAIN for some very specific domains, hijacking common public DNS resolvers like Google, OpenDNS and CloudFlare, Quad9 seems to be unaffected |
| Austria | 3 / drei.at | 2018-01-28 | fusl | no | NXDOMAIN search engine redir | NXDOMAIN redirect to 213.94.80.190, proof |
| - | Vultr/Choopa | 2017-11-03 | fusl | yes | blocking of selective domains | DPI on UDP/53, blocks any DNS request containing the text minexmr.com. in the query name (proof) |
| United States | CenturyLink | 2017-08-28 | some user on #opennic | no | NXDOMAIN search engine redir | Reproduced by fusl - NXDOOMAIN redirect to 198.105.244.23+198.105.245.23 redirecting to http://webhelper.centurylink.com/index.php?origURL=<domain>&r=&bc= |
| Peru | Bitel | 2017-06-23 | Tedel on #opennic | ? | ? | IRC conversation log |
| United States | AT&T | 2017-03-27 | news | no | NXDOMAIN search engine redir | ETM Details with Opt-Out Option (screenshot), ATT DNS Assist Page - AT&T; Community (screenshot) |
| United States | T-Mobile US | 2015-07-20 | thefinn93 on reddit | no | NXDOMAIN search engine redir | How do I turn of NXDOMAIN hijacking? : tmobile |
| Indonesia | Telkom | 2015-04-27 | blog post | ? | ? | Bagaimana internet positif Telkom bekerja? |
| United States | Sprint | 2014-09-05 | sanityvampire on reddit | no | NXDOMAIN search engine redir | Are Sprint 3G and 4G towers hijacking NXDOMAIN responses? More information in comments... : Sprint |
| United States | CenturyLink | 2011-12-21 | DSLReports Forums user | no | NXDOMAIN search engine redir | Re: [Qwest] Opting out of CenturyLink Web Helper hijacking not w - CenturyLink | DSLReports Forums |
| Spain | ONO | 2010-05-10 | blog post | no | NXDOMAIN search engine redir | Allowed cross-site-scripting attacks, iniqua » Archive » XSS Reflected dnssearch.Ono.es NXD redirect |
| Australia | Telstra | 2009-11-20 | news, CRN Australia | no | NXDOMAIN search engine redir | BigPond redirects typos to 'unethical' branded search page - Collaboration - Networking - CRN Australia |
| United States | RCN | 2009-10-13 | blog post | no | NXDOMAIN search engine redir | InfiniteEdge: Who Stole My Web Browser? |
| United States | Mediacom | 2009-09-25 | YourName on reddit | no | redirection of selective domains | Redirects search.live.com to own search engine, Want a real world example of why we need network neutrality? I have one here. : programming |
| Canada | Bell Internet | 2009-08-04 | timothy on Slashdot | no | NXDOMAIN search engine redir | Bell Starts Hijacking NX Domain Queries - Slashdot |
| United States | Comcast | 2009-07-28 | news | no | search engine redir | Comcast trials Domain Helper service DNS hijacker • The Register, disabled 2012; Comcast Domain Helper Shuts Down |
| Germany | T-Online | 2009-04-09 | - | no | search engine redir | Neues Leistungsmerkmal 'Navigationshilfe' | Telekom hilft Community |
| United States | Optimum Online | 2008-09-25 | - | no | search engine redir | Optimum Online - DNS Assistance |
| Canada | Rogers | 2008-07-20 | news | no | ad content injection | Rogers Uses Deep Packet Inspection for DNS Redirection - Is hijacking websites for advertising a violation of net neutrality? | DSLReports, ISP Information |
| Australia | Telstra | 2008-03-15 | blog post | no | dns redirection | Road Runner DNS hijack causing slow web pages | jeff turner |
| United States | Verizon | 2007-06-21 | - | no | search engine redir | Opt Out of DNS Assistance | Verizon Internet Support |
| United Kingdom | TalkTalk |  | - | no | search engine redir | About This Page - TalkTalk |
