DNS hijacking?

janw · ‎2022-04-14

Hello folks,

In the last few days it seems that Shaw has started hijacking DNS requests in the Vancouver region. If one directs a DNS query to a specific (non-Shaw) nameserver, the query never makes it to the specified server. Instead, the specified server records query from a Shaw nameserver.

This is of course a really bad idea for a lot of reasons, so I'm wondering why Shaw is choosing to do this. Does anyone have any insight?

Thank you!

Jan

mdk · ‎2022-04-16

@janw -- At least for one query, I am not seeing what you are seeing.

For example: querying one of the "authoritative" DNS-servers for the IP (V4 & V6) IP-addresses for UBC's web-server (in Vancouver), I get the "correct" response:

$ nslookup -debug www.ubc.ca. hub.ubc.ca.
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 2, additional = 2

QUESTIONS:
1.1.82.137.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 1.1.82.137.in-addr.arpa
name = hub.ubc.ca
ttl = 86400 (1 day)
AUTHORITY RECORDS:
-> 82.137.in-addr.arpa
nameserver = hub.ubc.ca
ttl = 86400 (1 day)
-> 82.137.in-addr.arpa
nameserver = dns3.ubc.ca
ttl = 86400 (1 day)
ADDITIONAL RECORDS:
-> hub.ubc.ca
internet address = 137.82.1.1
ttl = 86400 (1 day)
-> dns3.ubc.ca
internet address = 142.103.1.1
ttl = 86400 (1 day)

------------
Server: hub.ubc.ca
Address: 137.82.1.1

------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 3, additional = 2

QUESTIONS:
www.ubc.ca, type = A, class = IN
ANSWERS:
-> www.ubc.ca
canonical name = ubc.ca
ttl = 300 (5 mins)
-> ubc.ca
internet address = 206.87.224.15
ttl = 300 (5 mins)
AUTHORITY RECORDS:
-> ubc.ca
nameserver = hub.ubc.ca
ttl = 86400 (1 day)
-> ubc.ca
nameserver = nightbird.eis.utoronto.ca
ttl = 86400 (1 day)
-> ubc.ca
nameserver = dns3.ubc.ca
ttl = 86400 (1 day)
ADDITIONAL RECORDS:
-> hub.ubc.ca
internet address = 137.82.1.1
ttl = 86400 (1 day)
-> dns3.ubc.ca
internet address = 142.103.1.1
ttl = 86400 (1 day)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 1, additional = 0

QUESTIONS:
www.ubc.ca, type = AAAA, class = IN
ANSWERS:
-> www.ubc.ca
canonical name = ubc.ca
ttl = 300 (5 mins)
AUTHORITY RECORDS:
-> ubc.ca
ttl = 3600 (1 hour)
primary name server = hub.ubc.ca
responsible mail addr = nmc.ubc.ca
serial = 667394745
refresh = 1200 (20 mins)
retry = 180 (3 mins)
expire = 1209600 (14 days)
default TTL = 3600 (1 hour)

------------
Name: ubc.ca
Address: 206.87.224.15
Aliases: www.ubc.ca

Can you post a counter-example?

DNS hijacking?

Security & Accessibility

-- At least for one query, I am not seeing what you are s...