What's DNS hijacking?
DNS hijacking is the act of an ISP redirecting resolution of hostnames to other servers, usually for advertising purposes. The use of DNS hijacking hurts Tor exit-relay quality. Tor attempts to detect and compensate, however it is not always possible. The best solution is to disable the hijacking or switch to a different Public DNS resolver, or use your own DNS server.
Solutions
Opt-out
Some ISPs and DNS providers let you disable DNS hijacking. Below is a list of such ISPs:
SSL
Encrypted, authenticated DNS ideas (ISPs cannot intercept):
Setup your own DNS server
- BIND for Linux.
- Use your own DNSSEC supported DNS server or resolver, or, use trustworthy external DNSSEC supported recursive/caching DNS Server. Few DNSSEC supported DNS Server software are: BIND, Unbound, GbDns, etc.
Public DNS (resolver) servers
If opting out is not feasible, there are public DNS servers you can use for free. Below follows some services and IP addresses:
Level 3 / GTEI (Now owned by VERIZON)
- 4.2.2.1
- 4.2.2.2
- 4.2.2.3
- 4.2.2.4
- 4.2.2.5
- 4.2.2.6
ISSUES: Verizon publicly known for manipulating, filtering, redirecting DNS answers.
OpenNIC
- List of servers
- Find DNS server from OpenNIC site, which has disclosed that it does not do any form of Redirect and does not keep log, and does not store records, and does not store user's any information.
- 8.8.8.8
- 8.8.4.4
ISSUES: Google deletes IP address for a DNS query after 24 hours, but permanently stores ISP, location information for that DNS query. See Google Public DNS (wikipedia) and check reference area.
Other Public DNS Servers
List of other Public DNS Servers are also available from:
- Public DNS Resolvers page.
Other DNS related articles
-
DNS Resolver (in
[wiki:doc/DnsResolver](torproject.org), How to prevent any mis-configured app from (even accidentally) trying to resolve any .onion related DNS through direct internet). - DNS spoofing/cache poisoning (wikipedia).
- DNSSEC (wikipedia).