My ISP intercepts all the DNS requests

[hukadan]

I would call straight the data compliance officer of the company

I don't have his/her phone number. But I sent an e-mail when I realized they where doing DNS interception. He/She did not reply.

complain to CNIL

A friend of mine is a lawyer and she knows one or two things in personal data regulation. I see her in two weeks so I will ask her some questions before complaining to the CNIL.

 

[ezraimanuel]

Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:

forward-zone:
        forward-tls-upstream: yes
        name: "."
        forward-addr: 9.9.9.9@853 #Quad9
        forward-addr: 1.1.1.1@853 #CloudFare

Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.

Hello, I had simliar issue but all is well now. I use dnscrypt-proxy2 with unbound. install dnscrypt-proxy2 from pkg, and set forward-addr to your dnscrypt-proxy listening IP. don't forget to set your resolver to your unbound IP. I hope this works for you.
This is my config:

sockstat | grep dnscrypt
_dnscrypt-proxy dnscrypt-p69910 4 udp4 127.0.0.1:5353     *:*
_dnscrypt-proxy dnscrypt-p69910 6 tcp4 127.0.0.1:5353     *:*
_dnscrypt-proxy dnscrypt-p69910 7 udp6 ::1:5353           *:*
_dnscrypt-proxy dnscrypt-p69910 8 tcp6 ::1:5353           *:*

cat /usr/local/etc/unbound/forward.conf
forward-zone:
        name: "."
        forward-addr: ::1@5353

1 more thing, don't forget to set your ISP DNS server as fallback resolver in your /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml:

fallback_resolver = 'your_ISP_DNS_IP:53'

 

[hukadan]

Thank you. But DNS over TLS is more than enough . The problem lies elsewhere : they should not be allowed to do that in the first place.

 

[hukadan]

A quick follow-up. I saw my friend lawyer and she told me that my ISP has a delay to provide an answer to my request. If you are living in France, here are the details. Basically, they have one month to reply or inform you that they need a time extension of two months. The funny thing is that my ISP replied to my email one month minus one day to inform me they needed more time (I cannot refuse). She also told me that I had to wait for the time limits to expire (in approximately two months) before going to the CNIL. Her opinion is that they seem to violate the GDPR, but we have to wait for their answer to be sure. To be continued...

 

[hukadan]

I finally got an answer. They say "nous souhaitons vous rassurer sur le fait que les DNS ne procèdent à aucun traitement de données personnelles" which roughly translate as "we want to reassure you about the fact that our DNS do not process any personal data". Since I consider my requests as personal data, I can't see how it can be true. They also mention their intention to reconsider their DNS policy.

Now that I have an answer from them, I can complain to the CNIL.

To be continued...

 

[Michael-O]

Please read this or have it translated: https://www.golem.de/news/t-online-...-hijacking-nach-strafanzeige-1905-141370.html

A user filed a compliant with the prosecusion against Deutsche Telekom. They did what you did -- and they had to stop it. It violated German law: illegal data manipulation

 

[k.jacker]

Thanks Michael-O for sharing. Good to see that it's possible to stop big companies from doing so.
Let's hope that it turns out positive for hukadan, too. I'm sure it will.

 

[D-FENS]

Why should it be illegal to use whatever DNS server you want? If so, this would be quite a stupid jurisdiction to live in.
I cannot imagine any other reason for such a law, except for the government to spy on you when they please.

Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:

forward-zone:
        forward-tls-upstream: yes
        name: "."
        forward-addr: 9.9.9.9@853 #Quad9
        forward-addr: 1.1.1.1@853 #CloudFare

Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.

 

[Deleted member 9563]

Why should it be illegal to use whatever DNS server you want? If so, this would be quite a stupid jurisdiction to live in.
I cannot imagine any other reason for such a law, except for the government to spy on you when they please.

What post or idea are you referring to?

 

[scottro]

See hukadan's post. (The one two posts above mine, one above yours, where they are quoted.) He had thought it was illegal. Though it wouldn't shock me if they had a rule against it buried in a terms of service on page 72, I doubt they'd be able to enforce it.

 

[Deleted member 9563]

Thanks for helping my old eyes scottro

So yes, I think he is not too far off in calling it illegal in the context of newer privacy regulations. I'm not sure if browsing history is considered personal information in all jurisdictions, but if it is there will certainly be applicable laws.

Personally, I use a VPN (my own) as a matter of principle and not immediate practicality, as in the OP's case. To me, no ISP should have access to such detailed everyday personal information, regardless of whether they're currently using it, or what they're using it for. In this particular case, they've already admitted to "using" it to "help" people.

 

[hukadan]

Why should it be illegal to use whatever DNS server you want?

No you misunderstood (or I wrote bad English). I thought it was illegal to do DNS interception. And for the record, I have yet to find out. I think I will be able to file a detailed complain before the CNIL by next week.

 

[hukadan]

Please read this or have it translated

From what I understand, they not only intercept DNS but also redirect users asking for nonexistent URLs. In that sense, they manipulate DNS records. My case is slightly different since, to my knowledge, they still provide correct answer to DNS requests (with broken DNSSEC). I am not saying the legal status of "data manipulation" does not apply in my case, but I am not sure it does either.

 

[D-FENS]

No you misunderstood (or I wrote bad English). I thought it was illegal to do DNS interception. And for the record, I have yet to find out. I think I will be able to file a detailed complain before the CNIL by next week.

Oh, ok. I would not necessarily classify DNS interception it as illegal. It might be done for caching and performance reasons or others. What would be illegal is for the provider to log your DNS requests (spying) or change the outcome of the queries.
If they break your secure DNS connection, that for sure is weird. Imagine your provider turning your HTTPS connections into HTTP. They're not allowed to do that, it's a man in the middle attack.
You could call them and ask.

With that said, DNSSEC is quite new and they might still be having technical difficulties implementing (or ignoring) it. Especially if they did some DNS caching tricks for performance. I would give the provider the benefit of the doubt and clarify what's actually going on.

 

[hukadan]

I would not necessarily classify DNS interception it as illegal.

What could be illegal it is them doing it without you knowing. I asked them to show me where it was mentioned on the contract, but they failed to provide such information. I know from Mastodon that at least someone else came across the same problem and intend to file a complain. But he has to wait for the three months delay to do so.

I would give the provider the benefit of the doubt and clarify what's actually going on.

According to the GDPR, they had three months to clarify and they did not.

 

[D-FENS]

You could try and sue them, which could cost them dearly if they indeed violate the GDPR.
I would not expect however the companies to reveal all technical details to the customers. Probably 99% of the customers are completely ignorant about what DNS is, so there's no point in exposing the technical details to them.
There can be legitimate reasons to alias DNS servers, as well as illegitimate ones.
But overriding a public IP address with an own one is very smelly and you should probably talk to them and request an explanation. The contract probably obligates the provider to provide Internet access, so you need access to all public IPs. They should not be overridden.

 

[PMc]

From what I understand, they not only intercept DNS but also redirect users asking for nonexistent URLs. In that sense, they manipulate DNS records. My case is slightly different since, to my knowledge, they still provide correct answer to DNS requests.

That depends on what you define as "correct answers". If my friend and I decide to run whatever specialized service between our specific machines on port 53, we should be able to do this. In such case, the correct answer can certainly not be provided if this connection is re-routed to an entirely different server.
In such a case I would open a ticket for service outage, wait until the 97% contracted availability have passed (i.e. 11 days), and then cease payment with a written note that no activities to end the service outage could be observed.

 

[Deleted member 9563]

That depends on what you define as "correct answers". ...

Indeed. We're not all ICANN fans. There are alt-root servers and some people won't be able to reach the sites they expect with the OP's ISP unless they tunnel past them. And of course that's what a lot of people do.

 

[ronaldlees]

Did they object to his complaint to authorities and then pulled the plug on him? I suppose we'll need to wait until he gets fiber to find out, assuming it's not a related ISP :-(

I think this is common practice (hijack) - so he may not find a more privacy-embracing ISP. He probably should just have taken OJ's advice.

 

[hukadan]

That depends on what you define as "correct answers"

I consider to be a "correct answer" an answer that is identical to the information published by the zone owner.

Did they object to his complaint to authorities and then pulled the plug on him?

Don't worry, I am still plugged .

He probably should just have taken OJ's advice.

For the record, I am no more affected by their DNS interception (I made it clear in my first post on this thread) since I use DoT, but I feel concerned by the subject.