My ISP intercepts all the DNS requests

[hukadan]

Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:

forward-zone:
        forward-tls-upstream: yes
        name: "."
        forward-addr: 9.9.9.9@853 #Quad9
        forward-addr: 1.1.1.1@853 #CloudFare

Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.

 

[obsigna]

Does Bouygues Telecom mention the interception of DNS requests in their Privacy declaration which they presented to you as part of the service contract?

Now there are two general cases:

A) It is not mentioned. This would be for sure a violation of the GDPR, since the ISP can easily connect all your DNS requests with your personal data and it would take almost nothing to profile you on this. French data protection authorities seem to be not very forgiving, Google was just recently fined €50 million for GDPR violation in France. So chances are, that Bouygues Telecom would stop this immediately when you write them a kind letter, informing them, that they are in risk to be fined up to 4 % of their yearly sales because of this DNS interception.

B) It is mentioned. In this case you need to read the small print thoroughly, and perhaps you or a lawyer may find some hints how to prevent them from intercepting your DNS requests.

 

[xtremae]

Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.

Not necessarily. dnsprivacy.org seem to be maintaining a non comprehensive list of servers with DOT capabilities.
There's also a listing in the sample configuration file provided by the stubby project.

 

[Deleted member 9563]

The easy way out is to run your own resolver. I run mine on a cheap VPS which I use for VPN as well. I don't actually have a problem with my ISP, but I avoid them on principle anyway.

 

[hukadan]

Does Bouygues Telecom mention the interception of DNS requests in their Privacy declaration which they presented to you as part of the service contract?

To be honest, I haven't read it yet and it was too late yesterday night. But I will sure do it today.

dnsprivacy.org seem to be maintaining a non comprehensive list of servers with DOT capabilities.

Thank you. I will add them to the list.

The easy way out is to run your own resolver.

That would not work : they would intercept the requests and redirect them to their own server. Using unconventional port numbers on the server might help though.

 

[Deleted member 9563]

That would not work : they would intercept the requests and redirect them to their own server. Using unconventional port numbers on the server might help though.

There is no way they can tell what's in the encrypted stream if you run your resolver elsewhere. They don't see port 53 requests.

The way to do it is you run OpenVPN on your machine or router, and then you run OpenVPN as a server somewhere else like a VPS, and on that server you also run your resolver. I do it and it works very well for me. I'd be very surprised if my ISP could see what I was doing.

You can get cheap virtual servers nowadays. I've got a really good one and it costs $15 per year. (in case you were not up-to-the-times on cheap servers)

 

[hukadan]

then you run OpenVPN as a server somewhere else like a VPS

Sorry, I missed that part of your setup. I am still only half awake.

 

[hukadan]

I wish I was wrong. Believe me, I know how to change my default DNS. Beside I am not the only one to report the problem. The funny thing is that I set up a server which I knew did not provide DNS services. Then I used drill(1) to ask this very server to resolve an address... and I got a DNS response. I guess you can try with any routable address.

You can see previous complaints in different places :

https://twitter.com/i/web/status/896718729693855744

On their forum : https://forum.bouyguestelecom.fr/questions/1617015-bouygues-mobile-force-propres-dns
Elsewhere : https://davenull.tuxfamily.org/mitm-as-a-service-3g-edition-by-bouygues

--- Edit ---

And frankly.... if such stupid thing was really true (what is according to me wrong), just go to ISP "Illiad Free".

I can't. I am in a remote location where only the Bouygues 4G network works decently. I am stuck with them for now. The fiber is supposed to be available by the end of the year.

 

[obsigna]

I wish I was wrong. Believe me, I know how to change my default DNS. Beside I am not the only one to report the problem. The funny thing is that I set up a server which I knew did not provide DNS services. Then I used drill(1) to ask this very server to resolve an address... and I got a DNS response. I guess you can try with any routable address.

You can see previous complaints in different places :

https://twitter.com/i/web/status/896718729693855744

On their forum : https://forum.bouyguestelecom.fr/questions/1617015-bouygues-mobile-force-propres-dns
Elsewhere : https://davenull.tuxfamily.org/mitm-as-a-service-3g-edition-by-bouygues

Since this seems to be a wide spread issue of Bouygues Telecom, and since the company doesn’t seem to respond to customer’s complaints in a satisfactory manner, you might want to report the DNS interception directly to the CNIL - see: https://www.cnil.fr/fr/agir

 

[hukadan]

you want to report the DNS interception directly to the CNIL

I sent them a message this morning and told them that I would fill a complaint to the CNIL if they did not provide an answer. I give them until the end of the week.

 

[hukadan]

To override the automatic DNS settings at DHCP process, it is just required to write a little script on the FreeBSD

Sorry, I missed that part of your post. You do not need any script to do that. You can use the supersede option in the /etc/dhclient.conf (see dhclient.conf(5)).

 

[obsigna]

I sent them a message this morning and told them that I would fill a complaint to the CNIL if they did not provide an answer. I give them until the end of the week.

Perfect!

 

[tommiie]

Why not switch to a different ISP?

 

[hukadan]

I will quote myself

I can't. I am in a remote location where only the Bouygues 4G network works decently. I am stuck with them for now. The fiber is supposed to be available by the end of the year.

 

[tommiie]

Sorry. I missed that.

 

[hukadan]

If there was any doubt left, it is gone now. In these two old tweets, they explain that they intercept DNS requests in order for them to help people when their phones are misconfigured. \0/

Now, I just have to wait for their response concerning the GDPR compliance of such interceptions.

 

[Crivens]

Sounds like a cover story for hiding what not could be told on public without a damage for the company.

Like one of our clowns-in-office once said about shady things done "for the good of the citizens" : "a truthful answer might make the population feel uncomfortable".

So maybe this is state mandated by chance.

 

[hukadan]

So maybe this is state mandated by chance.

They are the only one to do that to my knowledge. They are encouraged by our government to implement DNSSEC which is, as far as I understand DNSSEC, incompatible with such a kind of interception (it is what allowed me to notice it in the first place).

 

[Crivens]

Which kind of proves that there is a way down from any place.
edit: apropos dangerous Clown...

 

[hukadan]

Just a quick follow-up for those interested. Having received no answer from my ISP, I reported the situation to the ARCEP which is a french governmental agency in charge of the net neutrality (not to the CNIL as initially planned - may be later depending on what happens). I just have to wait/hope for a reply now.

 

[Polyatomic]

My lord, it is awfully kind of you to document the struggle against the ISP's daily greyness. I would like to chime in to show support only and, I will not interfere. Your endeavor has been splendid, absolutely splendid.

 

[Deleted member 9563]

hukadan this is indeed a noble fight. DNS hijacking is a serious problem and we should not accept it anywhere.

 

[aht0]

Any updates?

 

[hukadan]

Nope. Bouygues Telecom said they would call me back, but they did not. As for the ARCEP, I received an e-mail saying that my report had been registered without giving any reference so I cannot check if it has been processed or not. I am not even sure that they will do something. And if they do, I am pretty sure that it is a rather long process.

I am a bit disillusioned though. Doing some research, I realized that it was a rather common practice. You just have to go to the Wikipedia page related to DNS hijacking to lose faith. When I speak to people I face mostly the two following reactions :

1. "What is a DNS?" ; or
2. when they know or I explained it "So what?"

In the mean time, I switched to DoT.

 

[Michael-O]

I would call straight the data compliance officer of the company and complain to CNIL. This behavior isn't a joke and must be fined.