T-Mobile hijacks Google and Level3 DNS servers
Posted: Oct 28, 2014
UPDATE: It looks like they fixed it. Let me know if you continue to see intercepted DNS traffic. -Eli, 11/5/14
Those IP addresses returned (18.104.22.168 & 22.214.171.124) belong to tmob.search-help.net. Typically users who don't want this sort of annoying search page can avoid it by manually changing their DNS to another server not controlled by the ISP. A popular semi-public choice of DNS server is 126.96.36.199. Except with T-Mobile internet, even switching servers results in the same problem!
$ nslookup bogus.fake.esd.io Server: 192.168.42.129 Address: 192.168.42.129#53 Name: bogus.fake.esd.io Address: 188.8.131.52 Name: bogus.fake.esd.io Address: 184.108.40.206
But! Here's what happens when you make the same request for the previous server's neighbor: 220.127.116.11. T-Mobile's network does not intercept requests to this server.
$ nslookup bogus.fake.esd.io 18.104.22.168 Server: 22.214.171.124 Address: 126.96.36.199#53 Name: bogus.fake.esd.io Address: 188.8.131.52 Name: bogus.fake.esd.io Address: 184.108.40.206
That works! NXDOMAIN is the result we want when we query a domain that doesn't exist. They are messing with 220.127.116.11 but not with 18.104.22.168. Further evidence: Compare the traceroutes.
$ nslookup bogus.fake.esd.io 22.214.171.124 Server: 126.96.36.199 Address: 188.8.131.52#53 ** server can't find bogus.fake.esd.io: NXDOMAIN
184.108.40.206 works, 220.127.116.11 (the more common one) is getting eaten by T-Mobile.
$ traceroute 18.104.22.168 traceroute to 22.214.171.124 (126.96.36.199), 64 hops max, 52 byte packets 1 192.168.42.129 (192.168.42.129) 0.778 ms 0.214 ms 0.352 ms 2 10.170.226.192 (10.170.226.192) 3571.048 ms 37.735 ms 39.922 ms 3 10.170.201.10 (10.170.201.10) 55.323 ms 37.650 ms 51.597 ms 4 10.177.30.209 (10.177.30.209) 92.900 ms 71.239 ms 110.118 ms 5 10.177.24.10 (10.177.24.10) 71.566 ms 77.048 ms 80.365 ms 6 xe-8-2-0.edge3.washington1.level3.net (188.8.131.52) 61.665 ms 67.321 ms 58.015 ms 7 ae-104-3504.edge1.washington12.level3.net (184.108.40.206) 61.814 ms ae-101-3501.edge1.washington12.level3.net (220.127.116.11) 76.690 ms ae-203-3603.edge1.washington12.level3.net (18.104.22.168) 111.538 ms 8 ae-201-3601.edge1.washington12.level3.net (22.214.171.124) 57.449 ms ae-102-3502.edge1.washington12.level3.net (126.96.36.199) 59.410 ms ae-202-3602.edge1.washington12.level3.net (188.8.131.52) 98.926 ms 9 a.resolvers.level3.net (184.108.40.206) 57.297 ms 55.422 ms 74.387 ms $ traceroute 220.127.116.11 traceroute to 18.104.22.168 (22.214.171.124), 64 hops max, 52 byte packets 1 192.168.42.129 (192.168.42.129) 0.684 ms 0.363 ms 0.245 ms 2 \* \* \* 3 \* \* \* 4 \* \* \* 5 \* \* \*
Questions for T-Mobile
- What is the purpose of intercepting/altering traffic to 3rd party DNS servers?
- What's the full list of addresses being intercepted?
- Why is NXDOMAIN being hijacked in the first place? Is it to generate revenue from ads on the search page, or is there some other technical reason?