Discuss mailing list

[eric <eric AT spacepatrol.org>]

On 2021-09-01 20:02, Se7en wrote:
> On 21-09-02 02:53:44, Lennart Seitz wrote:
> > Something certainly is odd here: the "@" part of dig defines the used
> > server. So you dont need to "change back" anything. If you put
> >
> > dig duckduckgo.com @185.121.177.177 +short
> >
> > in your cli. It will always query at 185.121.177.177, so it should
> > always give you the same results (lets keep dns-roundrobin out for 
> > now,
> > the 69.171.246.9 is certainly wrong)
> >
> > It seems like something on your system is locally redirecting querys.
>
> I'm looking at my system's /etc/resolv.conf and I see no problem with
> it. It is pointing at the router. The router is setup to use the
> PiHole as a DNS server. The pihole is (was) setup to use
> OpenNICProject. The issue is not on my own computer, but
> network-wide. All devices on the WLAN and LAN are affected. There is
> no issue when I use another DNS provider. I do not know what may be
> causing this alleged redirection on my system I'm using to diagnose
> but it seems unlikely as I am not running any kind of special
> networking such as `torsocks` into the terminal. While I have DNSCrypt
> installed, it is not running on this machine. I am using the version
> of `dig` which was in apt, provided by the ISC (DiG
> 9.11.5-P4-5.1+deb10u5-Debian).
>
> What else could this problem be? I do not believe iti s a cracked
> PiHole due to the fact the issue /only occurs/ using the Wiki's
> Anycast Servers.

Is it possible what you're witnessing is the following?

You->PiHole->OpenNic Anycast Server->DuckDuckGo Anycast DNS->IP closest 
to OpenNic Anycast Server

And when you switch to your other dns service you see:

You->PiHole->DNS Service->DuckDuckGo Anycast DNS->IP Closest to DNS 
Service

You will receive a far wider range of returned IPs when using recursive 
DNS via anycast to anycast because the IP closest to the OpenNIC server 
is being returned, not the IP closest to you.

To test the MITM theory, request an IP for a domain that does not use 
anycast to deliver their DNS.  This IP should be the same using both 
OpenNIC and any other dns provider.