Is there an Internet Organization to file complaints to about ISP DNS Hijacking?

domain-name-system

Solution 1:

I know of zero countries in the world that have a regulatory body that both a) cares and b) has the power to penalize IP spoofing foul play.

The international organizations all lack b), and on federal level you probably wont be successful either, for example:

FCC (USA) is probably the most popular one, which does care to some degree and will gladly register your formal customer complaints, then recommend you deploy DNSSEC to mitigate security issues and admit that they have zero power over ISPs.

Bundesnetzagentur (Germany) which falls into the "has the power" group (they do prosecute phone number spoofing, low internet speed, illegal ToC) has recently (in a similar case) expressly told me that they could not care less.

So what can you do?

  • Some ISPs are well known to do this and more or less openly admit under what circumstances they do. You are likely to be able to change your contract to avoid it (e.g. most ISPs have separate end user and business contracts, the latter including fewer shenanigans).
  • German DSL ex-monopolist Telekom Deutschland has as of April 2019 stopped providing spoofed responses, apparently shortly after learning about criminal investigation proceedings about data manipulation & formal complaints on privacy grounds. They had been redirecting customers to advertising partners by supplying fake A records. Since potential sanctions from privacy violations are currently hard to estimate for companies, the threat from such provisions in GDPR etc. might be enough.

That being said, you do not know for sure your ISP is doing that yet, your test is inadequate, the speed at which queries are updated is not deterministic, not even for googles 8.8.8.8 (which obviously is NOT a single machine, and does not necessarily run the same setup for every machine, see https://peering.google.com/). Some equally inadequate (because only catching a few special cases) tests are:

  • Google goes SERVFAIL for dig version.bind chaos txt @8.8.8.8, but caching resolvers in between will often respond (usually something borderline rude).
  • Query for a domain name that isnt properly encoded or otherwise invalid in its respective TLD (dig 🖕.com. in TXT @8.8.8.8) - Google will say NXDOMAIN, other resolvers will say SERVFAIL.
  • If your ISP is doing it for all and any DNS queries, not just the google ones, you might verify by setting up a simple dns resolver (something like dnsmasq --no-resolv --server /example.com/127.0.0.8/ --bind-interfaces --listen-address 192.0.2.1 --log-queries) and then look who is querying it when you access it via different ISPs (dig example.com @192.0.2.1). The most obvious clue would then be that while you queried your server directly, you have received more responses than queries showed up in your resolver log (this is how i determine if i am being MitM'd by a caching resolver).

Related

Internal Network CA: "Invalid Common Name" or Invalid Cert on everything (except Internet Explorer and Windows' Certificates mmc snapin)
Do I really need WSUS and if I disable WSUS will the workstation automatically pickup windows updates?
Problems with Azure AD connect custom install
Ubiquity Unifi wont accept login after migration
Are multiple server blocks or one server block with redirects preferable in NGINX? Why?
Are CPU microcode updates always ignored by Hypervisors?
Allow internet access for ec2 instances with private IP addresses inside a public subnet?
Cannot start sshd service: Failed to start openssh.service: Unit not found
What is the unit of a "page" in /proc/<pid>/statm
HAProxy - Add response header based on request host
Private address space IP found in X-Forwarded-For
get a list of instances on ec2 without termination protection?