ISP tricks DNS

dnsispnetworking

Running "nslookup google.com 8.8.8.8" yields IPs of my ISP (as Non-authoritative answer). I think this started occurring recently. Probably they are making cache or something, as nearest Google data center is quite far away.

First of all, how is that even possible? I thought the worst they could do is block me from sending a DNS request to 8.8.8.8 (say by blocking remote port 53), but how can they trick 8.8.8.8 from sending me a correct address?

Second, how can I bypass this, if at all?

Thanks

EDIT:

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\asdf nslookup google.com 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: google.com

Addresses: 2a00:1450:4017:801::1006

     212.199.205.232
     212.199.205.242
     212.199.205.222
     212.199.205.237
     212.199.205.231
     212.199.205.241
     212.199.205.212
     212.199.205.227
     212.199.205.247
     212.199.205.246
     212.199.205.251
     212.199.205.221
     212.199.205.217
     212.199.205.236
     212.199.205.226
     212.199.205.216

C:\Users\asdf>

And using DNSCrypt (with and without option of DNSCrypt over port 443):

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\asdf>nslookup google.com

1.0.0.127.in-addr.arpa

primary name server = localhost

responsible mail addr = nobody.invalid

serial = 1

refresh = 600 (10 mins)

retry = 1200 (20 mins)

expire = 604800 (7 days)

default TTL = 10800 (3 hours)

Server: UnKnown

Address: 127.0.0.1

Non-authoritative answer:

Name: google.com

Addresses: 2a00:1450:4017:800::1008
212.199.205.242
212.199.205.247
212.199.205.237
212.199.205.232
212.199.205.231
212.199.205.226
212.199.205.217
212.199.205.212
212.199.205.227
212.199.205.241
212.199.205.236
212.199.205.246
212.199.205.216
212.199.205.251
212.199.205.221
212.199.205.222

C:\Users\asdf>

Formatting is a bit off, sorry about that.

Best Answer

  • I don't think what you think is hijacking is hijacking (I am not saying it is not happening, just the evidence does not point to it.)

    From what it looks like you are just seeing 3rd party location based CDNs Google uses for it's servers.

    Google would never be able to serve up pages at the speed it offers if every query had to go through a master database back in Mountain View, CA. So they have 1000's of mirrored servers at ISP's all over the world to help serve up content quicker. They do not necessarily manage the servers that are hosting the page, only the software running on the server. Heck it could be done all with VPS's.

    So you are likely seeing the IP's belonging to the hosting company/CDN that Google is using for serving pages in your area.

    (P.S. The way they are poiting you to the correct CDN (the reason you get a different set of numbers vs ping.eu) is the DNS servers sitting on 8.8.8.8 look at the requesting IP and reply with the IPs for the CDN serving that area by doing a IP Geolocation Lookup)

  • Related Question