Discuss mailing list

[Lennart Seitz <mail AT lseitz.de>]

I dont think thats the problem here since Duckduckgo.com resolves to facebook IPs for him and also shows https certificates that are related to facebook.com when visiting duckduckgo.com

Can you please check what
dig whoami.akamai.net
gives you when you use opennic and quad9 (for example).


On 02.09.2021 03:11, eric wrote:

On 2021-09-01 20:02, Se7en wrote:

On 21-09-02 02:53:44, Lennart Seitz wrote:

Something certainly is odd here: the "@" part of dig defines the used
server. So you dont need to "change back" anything. If you put

dig duckduckgo.com @185.121.177.177 +short

in your cli. It will always query at 185.121.177.177, so it should
always give you the same results (lets keep dns-roundrobin out for now,
the 69.171.246.9 is certainly wrong)

It seems like something on your system is locally redirecting querys.

I'm looking at my system's /etc/resolv.conf and I see no problem with
it. It is pointing at the router. The router is setup to use the
PiHole as a DNS server. The pihole is (was) setup to use
OpenNICProject. The issue is not on my own computer, but
network-wide. All devices on the WLAN and LAN are affected. There is
no issue when I use another DNS provider. I do not know what may be
causing this alleged redirection on my system I'm using to diagnose
but it seems unlikely as I am not running any kind of special
networking such as `torsocks` into the terminal. While I have DNSCrypt
installed, it is not running on this machine. I am using the version
of `dig` which was in apt, provided by the ISC (DiG
9.11.5-P4-5.1+deb10u5-Debian).

What else could this problem be? I do not believe iti s a cracked
PiHole due to the fact the issue /only occurs/ using the Wiki's
Anycast Servers.

Is it possible what you're witnessing is the following?

You->PiHole->OpenNic Anycast Server->DuckDuckGo Anycast DNS->IP closest to OpenNic Anycast Server

And when you switch to your other dns service you see:

You->PiHole->DNS Service->DuckDuckGo Anycast DNS->IP Closest to DNS Service

You will receive a far wider range of returned IPs when using recursive DNS via anycast to anycast because the IP closest to the OpenNIC server is being returned, not the IP closest to you.

To test the MITM theory, request an IP for a domain that does not use anycast to deliver their DNS.  This IP should be the same using both OpenNIC and any other dns provider.

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

-- 
Mit freundlichen Grüßen,
Lennart Seitz
PGP-Schlüssel: 0x187abd76a5660379 (https://pgp.lseitz.de/key.asc)
--