Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Vodafone FTTH: DNS Hijacking/Interception?

Options
  • 15-12-2021 11:28pm
    #1
    InquiringMind
    Registered Users Posts: 46


    Hi,

    I have a 1Gbps Vodafone SIRO connection. For almost a year I've been using a PC with two NIC running pfSense as my fiirewall/router in place of the Vodafone Gigabox i.e. I have a cable running directly from the ONT to the pfSense box. I also run BIND as a DNS caching server on pfSense so all DNS resolution is handled locally.

    On Sunday the WAN connection went down. I spent some time troubleshooting but could not get it to re-connect. I dug out the Gigabox and set it up and it worked without issue. Tried pfSense again, no joy. I connected the pfSense box to the Gigabox and got partial success, I could ping IP addresses on the internet but could not browse the web. Some more troubleshooting and I found that BIND was not working as expected, but the Gigabox can resolve DNS queries without issue. If pfSense uses the Gigabox for DNS, everything works. So, what's going on?

    I manually configured my PC to use 8.8.8.8 for DNS. I visited https://www.dnsleaktest.com/, it shows Vodafone DNS.

    If I use the linux dig tool to run a DNS lookup with "+trace" for any domain, it fails, it cannot resolve the top level DNS servers.

    If I do a "dig @" specifying the IP of the authoratitive DNS server for a domain, I get an non-authoratitive response. This indicates the response is not coming from the server I have specified.

    If I send a DNS query to any IP address I will get a response, even IP addresses I know are not providing DNS services.

    If you're on Vodafone you can try this. Open a command prompt or powershell window. Type:

    nslookup www.google.ie 8.8.8.8


    I may be wrong, but this all seems to indicate that Vodafone have started intercepting all DNS traffic passing through their network, and it looks like it started on Sunday evening, at least for me. Has anyone else encountered this issue, or have issues using 3rd party devices in place of the Vodafone Gigabox?



Comments

  • Options
    #2
    InquiringMind
    Registered Users Posts: 46 InquiringMind


    If you're on Vodafone you can try this. Open a command prompt or powershell window. Type:

    nslookup www.google.ie 8.8.8.8

    Now try the same with any IP address. Any IP I try gives a response, which in reality is vodafone intercepting and responding to the query.



  • Options
    #3
    InquiringMind
    Registered Users Posts: 46 InquiringMind


    https://www.boards.ie/discussion/comment/118328550#Comment_118328550

    To clarify, 8.8.8.8 is a vlaif DNS server and should give a response. Almost every other IP address you try should not.



  • Options
    #4
    InquiringMind
    Registered Users Posts: 46 InquiringMind


    So the DNS issue was a setting on the vodafone gigabox, "Secure DNS". DNS started workingnormally once that was disabled.

    Still working on getting the pfSense connection working.



  • Options
    #5
    ED E
    Registered Users Posts: 36,167 ✭✭✭✭ED E


    Its possible this all relates to something going awry on BSD install. Check it for package updates around the time you lost access.


    DNSSec still isnt really a thing. I'd guess they're filtering out port53 traffic to stop people evading parental controls (somewhat).



  • Options
    #6
    gordonnet
    Registered Users Posts: 288 ✭✭gordonnet


    You could set up DNS over HTTP using cloudflared - https://github.com/cloudflare/cloudflared.

    or use Unbound. https://unbound.docs.nlnetlabs.nl/en/latest/ (this can be configured on a local pc, and DOH is also supported.

    pfSense® software version 2.2, Unbound has been integrated into the base system. Unbound is also the default DNS Resolver for new installations.

    Also check the result of tracert www.google.ie. (Just to check what DNS server is configured on the WAN interface of pfsense.



  • Advertisement
  • Options
    #7
    Trevord
    Registered Users Posts: 942 ✭✭✭Trevord


    I seem to be having difficulty getting the router (Vodafone Siro gigabox) to accept a DNS change. On the router's DNS page I've switched from so called "Automatic" to "Manual" and inputted the google DNS addresses 8.8.8.8. and 8.8.4.4.

    A warning message appears to caution about disabling Secure DNS.

    I hit APPLY and then rebooted the router (and restarted the Siro box)

    However, after reboot the Status and Support page in the router interface is still showing Vodafone's Primary and Secondary DNS rather than the google DNS.

    Am I doing something wrong here? Is Secure DNS disabled as soon as you pick Manual DNS and input alternative DNS addresses or is there a setting to disable Secure DNS located in a different section of the interface that I need to click on?

    Could someone who has switched to a Non Vodafone DNS confirm that the DNS listed on the router's "Status and Support" page is supposed to update to the manually configured DNS addresses after a router reboot?



  • Options
    #8
    InquiringMind
    Registered Users Posts: 46 InquiringMind


    I ended up replacing the PC I was using as a firewall, I suspect at least some of my issues were related to the old PC.

    Neither pfSense or FreeBSD 12/13 would install on the new machine. Ended up going with FreeBSD14 MAIN, and then configuring everything manually (VLAN, PPPoe, pf firewall). Working so far. Gigabox is back in the drawer.



Advertisement