ISP tricks DNS?
Running "nslookup google.com 8.8.8.8" yields IPs of my ISP (as Non-authoritative answer). I think this started occurring recently. Probably they are making cache or something, as nearest Google data center is quite far away.
First of all, how is that even possible? I thought the worst they could do is block me from sending a DNS request to 8.8.8.8 (say by blocking remote port 53), but how can they trick 8.8.8.8 from sending me a correct address?
Second, how can I bypass this, if at all?
Thanks
EDIT:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\asdf nslookup google.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4017:801::1006
212.199.205.232 212.199.205.242 212.199.205.222 212.199.205.237 212.199.205.231 212.199.205.241 212.199.205.212 212.199.205.227 212.199.205.247 212.199.205.246 212.199.205.251 212.199.205.221 212.199.205.217 212.199.205.236 212.199.205.226 212.199.205.216C:\Users\asdf>
And using DNSCrypt (with and without option of DNSCrypt over port 443):
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\asdf>nslookup google.com
1.0.0.127.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Server: UnKnown
Address: 127.0.0.1
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4017:800::1008 212.199.205.242 212.199.205.247 212.199.205.237 212.199.205.232 212.199.205.231 212.199.205.226 212.199.205.217 212.199.205.212 212.199.205.227 212.199.205.241 212.199.205.236 212.199.205.246 212.199.205.216 212.199.205.251 212.199.205.221 212.199.205.222
C:\Users\asdf>
Formatting is a bit off, sorry about that.
Solution 1:
I don't think what you think is hijacking is hijacking (I am not saying it is not happening, just the evidence does not point to it.)
From what it looks like you are just seeing 3rd party location based CDNs Google uses for it's servers.
Google would never be able to serve up pages at the speed it offers if every query had to go through a master database back in Mountain View, CA. So they have 1000's of mirrored servers at ISP's all over the world to help serve up content quicker. They do not necessarily manage the servers that are hosting the page, only the software running on the server. Heck it could be done all with VPS's.
So you are likely seeing the IP's belonging to the hosting company/CDN that Google is using for serving pages in your area.
(P.S. The way they are poiting you to the correct CDN (the reason you get a different set of numbers vs ping.eu) is the DNS servers sitting on 8.8.8.8 look at the requesting IP and reply with the IPs for the CDN serving that area by doing a IP Geolocation Lookup)
Solution 2:
Do you get the same results when using 8.8.4.4 as a DNS server? 208.67.222.222 ? 208.67.220.220 ?
If your ISP is hijacking connections to 8.8.8.8, there's not much you can do other than complain to them and connect to 8.8.8.8 over a VPN.
I would very much like to see the DNS report from NameBench, a DNS testing utility which is primarily used for comparing and finding the fastest DNS server available, but also checks for hijacking. It will tell you if your ISP is doing Bad ThingsTM with your internet.