[ooni-dev] Detection of DNS used by probe

Arturo Filastò art at torproject.org
Mon Jul 27 11:07:45 UTC 2015


> On Jul 14, 2015, at 3:59 PM, Clodo <clodo at clodo.it> wrote:
> 
> Signed PGP part
> Hi, i recently do some maintenance on a website called ipleak.net.
> I added a json/api feature, and i think can be useful in a OONI probe
> to detect DNS spoofing/injection.
> 
> For example, fetch this: (change the third-level domain to a random hash
> ):
> 
> https://a_long_random_hash_for_every_request.ipleak.net?mode=json
> 
> The domain are resolved by ISP, they DNS query ask the resolution of
> the random domain to our authoritative server,
> our server collect the IP address of the latest ISP DNS that request
> the domain and report it in the http response.
> 
> Note that if the ISP have more DNS server (load-balancing), doing
> multiple requests (every with a new hash) can return many DNS IP.
> 

Oh this is indeed a very useful service and we were actually considering setting up something similar as an OONI test helper using DNS as a transport.

The server side code is very minimal and simple:

https://github.com/TheTorProject/ooni-backend/blob/master/oonib/testhelpers/dns_helpers.py#L26

> For example, here in Italy doesn't matter if i try to use Google DNS
> 8.8.8.8, my ISP (Vodafone) always do a 'Transparent DNS', they capture
> any request over port 53 and redirect to their DNS.
> If a country do the same thing for censorship reason, you can detect
> it with this technique.
> 
> If this feature is interesting for OONI, feel free to use it on
> ipleak.net throught our API.
> 

We will consider using this as a service in the OONI DNS consistency test or perhaps even by default in all the tests we run that do DNS resolution (even the http_requests one).

> Otherwise, if you prefer to implement yourself, i'm here for free
> support.
> You need a domain with NS record that point to a server you control
> (dns authoritative), a bind9, a named-pipe between bind9 and a script,
> and a wildcard SSL certificate if you want all under SSL.

Is the code for your service available somewhere?

What database are you using to do the reverse lookup?

~ Arturo


More information about the ooni-dev mailing list