Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/DNSHijacking.md 0 → 100644
View page @ 53a16e3a
What's '''DNS hijacking?'''
[https://secure.wikimedia.org/wikipedia/en/wiki/DNS_hijacking DNS hijacking] is
the act of an [http://en.wikipedia.org/wiki/Internet_service_provider ISP] redirecting resolution of hostnames to other servers, usually
for advertising purposes. The use of DNS hijacking hurts Tor exit-relay
quality. Tor attempts to detect and compensate, however it is not always
possible. The best solution is to disable the hijacking or switch to a
different Public DNS resolver, or use your own DNS server.
[[TOC]]
= Solutions =
== Opt-out ==
Some ISPs and DNS providers let you disable DNS hijacking. Below is a list of
such ISPs:
* [http://dns-opt-out.comcast.net/help-index.php Comcast]
* [https://www.opendns.com/support/article/312 OpenDNS]
* [http://www.optimum.net/Article/DNS#btnBlue Optimum Online]
* [http://service1.dnsassist.optusnet.com.au/search?qh=DNS%20hijacking&srh=optout Optus]
* [http://foren.t-online.de/foren/read/service/browser/t-online-browser/neues-leistungsmerkmal-navigationshilfe,164,3808480,fid=84b72be.html T-Online]
* [https://service.upc.ie/pdf/DNS%20opt-out%20instructions.pdf UPC]
* [https://www22.verizon.com Verizon]
== SSL ==
Encrypted, authenticated DNS ideas (ISPs cannot intercept):
* [https://www.privacyfoundation.de/wiki/HTTPS-DNS HTTPS-DNS]
* [https://www.privacyfoundation.de/wiki/SSL-DNS SSL-DNS]
== Setup your own DNS server ==
* [wiki:"TheOnionRouter/BIND" BIND] for [http://en.wikipedia.org/wiki/Linux Linux].
* Use your own '''DNSSEC''' supported [wiki:doc/DnsResolver DNS server] or resolver, or, use trustworthy external DNSSEC supported recursive/caching DNS Server. Few DNSSEC supported DNS Server software are: BIND, Unbound, GbDns, etc.
== Public DNS (resolver) servers ==
If opting out is not feasible, there are public DNS servers you can use for
free. Below follows some services and IP addresses:
=== [http://www.level3.com/ Level 3] / GTEI (Now owned by VERIZON) ===
* 4.2.2.1
* 4.2.2.2
* 4.2.2.3
* 4.2.2.4
* 4.2.2.5
* 4.2.2.6
ISSUES: Verizon publicly known for manipulating, filtering, redirecting DNS answers.
=== [http://www.opennicproject.org OpenNIC] ===
* [http://wiki.opennicproject.org/Tier2 List of servers]
* Find DNS server from OpenNIC site, which has disclosed that it does not do any form of Redirect and does not keep log, and does not store records, and does not store user's any information.
=== [https://code.google.com/speed/public-dns/ Google] ===
* 8.8.8.8
* 8.8.4.4
ISSUES: Google deletes IP address for a DNS query after 24 hours, but permanently stores ISP, location information for that DNS query. See [https://en.wikipedia.org/wiki/Google_Public_DNS Google Public DNS (wikipedia)] and check reference area.
=== Other Public DNS Servers ===
List of other Public DNS Servers are also available from:
* [wiki:doc/DnsResolver/PublicDnsResolvers Public DNS Resolvers] page.
== Other DNS related articles ==
* [wiki:doc/DnsResolver DNS Resolver] (in `[`wiki`:`doc/DnsResolver`]` (torproject.org), How to prevent any mis-configured app from (even accidentally) trying to resolve any .onion related DNS through direct internet).
* [https://en.wikipedia.org/wiki/DNS_spoofing DNS spoofing/cache poisoning] (wikipedia).
* [https://en.wikipedia.org/wiki/DNS_Security_Extensions DNSSEC] (wikipedia).