Comment by regnerba

7 years ago

Cloudflare returns a proper response for me.

  nslookup archive.is 1.1.1.1
  Server:  1.1.1.1
  Address: 1.1.1.1#53

  Non-authoritative answer:
  Name: archive.is
  Address: 134.119.220.26

11 comments

regnerba

akerro 7 years ago

    dig @1.1.1.1 archive.is
    
    ; <<>> DiG 9.14.1 <<>> @1.1.1.1 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46862
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1452
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             2998    IN      A       127.0.0.4

    ;; Query time: 52 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Sat May 04 21:03:36 CEST 2019
    ;; MSG SIZE  rcvd: 55

    dig @8.8.8.8 archive.is

    ; <<>> DiG 9.14.1 <<>> @8.8.8.8 archive.is
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5893
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,     ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;archive.is.                    IN      A

    ;; ANSWER SECTION:
    archive.is.             299     IN      A       94.16.117.236

    ;; Query time: 79 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat May 04 21:04:28 CEST 2019
    ;; MSG SIZE  rcvd: 55

V99 7 years ago

It's possible your ISP is intercepting all traffic for port 53 and sending it to their own nameservers (which do send client subset) instead of you actually taking to cloudflare's 1.1.1.1 at all.

abtinf 7 years ago
Links for documented instances of this practice?
- V99 7 years ago
  
  I don't know of any particular popular concrete instance, but why is it hard to believe? It's trivial to implement and would be brought to you by the same people who think serving ads for NXDOMAIN is a good idea.
  https://www.dnsleaktest.com/what-is-transparent-dns-proxy.ht...
  
  2 replies →
- lultimouomo 7 years ago
  
  I have personal witnessed this happening with Wind-Infostrada in Italy. DNS spoofing was done through the ISP provided fiber modem/router though, not at the ISP level; if you actually changed the DNS servers on the router than it would send all your queries to those routers instead of the ISP ones.
  I couldn't figure out if this was plain incompetency, an attempt to enforce DNS-based website blocking, or some programmer willfully implementing the latter with the former so that it would be reasonably easy to circumvent.
  Also Italian residential providers really, really like to mess with NXDOMAIN instead returning a helpful error page with affiliate links instead. You might think you can imagine how much shit this breaks; you probably don't.
- AndyMcConachie 7 years ago
  
  https://labs.ripe.net/Members/babak_farrokhi/operator-level-...
- andreareina 7 years ago
  
  ISPs in several countries I've been to do this to blacklist "objectionable" sites (which apparently includes reddit now) at the DNS level. Turning on DNS-over-HTTPS solves that.

logixlemon 7 years ago

If you don't mind could you look through: https://ooni.torproject.org/about/risks/

And if they sound acceptable run https://ooni.torproject.org/install/

It'll show you more about likely interception of your traffic.

1f60c 7 years ago

Not for me:

    Server:  1.1.1.1
    Address: 1.1.1.1#53

    Non-authoritative answer:
    Name: archive.is
    Address: 127.0.0.4