Is there a tool or way to evidence DNS hijacking, censorship, or poisoining? [closed]
I've noticed that just accessing some types of websites sometimes return something else, depending on where you are in the world etc.
This could be done by changing DNS records on different stages of the DNS lookup, maybe at the ISPs recursive resolver is the most common spot. This can also be used for injecting ads (not sure how though).
But is there any way to evidence this? Is there a way to not go through the ISP recursive resolver?
Any links for further reading are welcome.
There is not one answer to your question, but in most cases this is not caused by DNS but by the website you are visiting.
An example is the generic google.com that will quickly redirect
you to their nearest server in your country, based on your IP address.
That local Google server will insist on including some search
results in the language of the country you are in, no matter
if you specified your own preferred language.
The most efficient method of avoiding these algorithms is to use a VPN server that is situated in the country you would like such websites to use by default.
This is a very broad question, with lots of elements in the answer. These include:
-
To bypass DNS issues with your provider or country, use a VPN and ensure DNS queries are routed across it.
-
In the simple case, it is quite practical for an ISP to hijack DNS queries. They can do this by only allowing dns queries (ie port 53) to their nameservers, or by redirecting port 53 to their nameservers. (If they knew how I was doing it my kids could swear that this is effective!)
-
There are tools to look up results, including online tools which will provide lookup results from many servers, and using tools like "dig" (for Unix) with the +trace option.
There are mitigations to mitm attacks like DOH (DNS over HTTPS which bypasses raw DNS queries and Signed DNS records. (see https://stealthbits.com/blog/dns-over-https/ for info on enabling DOH )