1.1.1.1 Port 53 intercepted by ISP

dns-resolver
#1

Hi,

On my computer when nslookup for “bbc.co.uk” with 1.1.1.1, I got a response with an invalid A record, while no issue with 8.8.8.8. Probably an interception by ISP?

C:\Users2020>nslookup www.bbc.co.uk 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: www.bbc.co.uk
Address: 31.13.78.65

C:\Users2020>nslookup www.bbc.co.uk 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1

Non-authoritative answer:
Name: www.bbc.co.uk
Address: 31.13.78.65

C:\Users2020>nslookup www.bbc.co.uk 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: www.bbc.net.uk
Addresses: 212.58.244.70
212.58.249.212
Aliases: www.bbc.co.uk

https://cloudflare-dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJCS0siLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Thank you

#2

The BBC does appear to return different records, probably based on the client’s subnet. However in your case it seems to be a Facebook address, which probably is not right.

Considering you are on Windows, could you run the following command in a PowerShell console and post the output here?

(Invoke-WebRequest -Uri 'https://1.1.1.1/dns-query?ct=application/dns-json&name=www.bbc.co.uk').RawContent
1 Like
#3

This is the output from PowerShell:

HTTP/1.1 200 OK
Connection: keep-alive
Access-Control-Allow-Origin: *
Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
CF-RAY: 4b9e338c2b2fc8dd-BKK
Content-Length: 209
Cache-Control: max-age=197
Content-Type: application/dns-json
Date: Tue, 19 Mar 2019 08:50:53 GMT
Server: cloudflare

{“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: false,“CD”: false,“Question”:[{“name”: “www.bbc.co.uk.”, “type”:
1}],“Answer”:[{“name”: “www.bbc.co.uk.”, “type”: 1, “TTL”: 197, “data”: “69.63.176.59”}]}

#4

This also appears to be a Facebook address.

I somewhat doubt the BBC hosts with Facebook but on the other hand this response should really not have been tampered with.

Tagging @cscharff

1 Like
#5

So glad to know that there’s no interception by the ISP!

I can’t access “www.bbc.co.uk” for many weeks. The site can access normally while I use 8.8.8.8 as a resolver.

This should be an issue from a Cloudflare 1.1.1.1 resolver.

#6

Thanks for reporting our DNS team is investigating.

1 Like
#7

@cscharff

Any update for this issue? Thanks.

#8

The query was indeed being intercepted, the network provider and the BBC have both been notified.

1 Like
#9

By whom? DoH also returned a seemingly incorrect value.

#10

I believe DoH is just HTTPS from the client to the RR. A regular DNS query is made from the RR to the authoritative dns.

#11

Are you suggesting the connection between Cloudflare and the authoritative nameserver was hijacked? I understood @cscharff’s response as if the connection between the user and Cloudflare was intercepted.

#12

Just based on DoH providing the same wrong IP I would guess it’s an intermittent edns issue, but that does conflict with his response. /shrug

#13

“Same, wrong” or “same wrong”? :smile:

The former is true, the latter not, as the IP actually was different from the regular DNS request, even though it still pointed to Facebook :man_shrugging:t2:. Hence my plea for clarification to @cscharff

1 Like