[ooni-dev] Detection of DNS used by probe
art at torproject.org
Mon Jul 27 11:07:45 UTC 2015
> On Jul 14, 2015, at 3:59 PM, Clodo <clodo at clodo.it> wrote:
> Signed PGP part
> Hi, i recently do some maintenance on a website called ipleak.net.
> I added a json/api feature, and i think can be useful in a OONI probe
> to detect DNS spoofing/injection.
> For example, fetch this: (change the third-level domain to a random hash
> The domain are resolved by ISP, they DNS query ask the resolution of
> the random domain to our authoritative server,
> our server collect the IP address of the latest ISP DNS that request
> the domain and report it in the http response.
> Note that if the ISP have more DNS server (load-balancing), doing
> multiple requests (every with a new hash) can return many DNS IP.
Oh this is indeed a very useful service and we were actually considering setting up something similar as an OONI test helper using DNS as a transport.
The server side code is very minimal and simple:
> For example, here in Italy doesn't matter if i try to use Google DNS
> 220.127.116.11, my ISP (Vodafone) always do a 'Transparent DNS', they capture
> any request over port 53 and redirect to their DNS.
> If a country do the same thing for censorship reason, you can detect
> it with this technique.
> If this feature is interesting for OONI, feel free to use it on
> ipleak.net throught our API.
We will consider using this as a service in the OONI DNS consistency test or perhaps even by default in all the tests we run that do DNS resolution (even the http_requests one).
> Otherwise, if you prefer to implement yourself, i'm here for free
> You need a domain with NS record that point to a server you control
> (dns authoritative), a bind9, a named-pipe between bind9 and a script,
> and a wildcard SSL certificate if you want all under SSL.
Is the code for your service available somewhere?
What database are you using to do the reverse lookup?
More information about the ooni-dev