# My ISP intercepts all the DNS requests



## hukadan (Feb 6, 2019)

Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:

```
forward-zone:
        forward-tls-upstream: yes
        name: "."
        forward-addr: 9.9.9.9@853 #Quad9
        forward-addr: 1.1.1.1@853 #CloudFare
```

Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.


----------



## obsigna (Feb 6, 2019)

Does Bouygues Telecom mention the interception of DNS requests in their Privacy declaration which they presented to you as part of the service contract?

Now there are two general cases:

A) It is not mentioned. This would be for sure a violation of the GDPR, since the ISP can easily connect all your DNS requests with your personal data and it would take almost nothing to profile you on this. French data protection authorities seem to be not very forgiving, Google was just recently fined €50 million for GDPR violation in France. So chances are, that Bouygues Telecom would stop this immediately when you write them a kind letter, informing them, that they are in risk to be fined up to 4 % of their yearly sales because of this DNS interception.

B) It is mentioned. In this case you need to read the small print thoroughly, and perhaps you or a lawyer may find some hints how to prevent them from intercepting your DNS requests.


----------



## xtremae (Feb 6, 2019)

hukadan said:


> Apart from Quad9 and CloudFare, it seems that only Google provide DNS over TLS.



Not necessarily. dnsprivacy.org seem to be maintaining a non comprehensive list of servers with DOT capabilities.
There's also a listing in the sample configuration file provided by the stubby project.


----------



## Deleted member 9563 (Feb 7, 2019)

The easy way out is to run your own resolver. I run mine on a cheap VPS which I use for VPN as well. I don't actually have a problem with my ISP, but I avoid them on principle anyway.


----------



## hukadan (Feb 7, 2019)

obsigna said:


> Does Bouygues Telecom mention the interception of DNS requests in their Privacy declaration which they presented to you as part of the service contract?


To be honest, I haven't read it yet and it was too late yesterday night. But I will sure do it today.



xtremae said:


> dnsprivacy.org seem to be maintaining a non comprehensive list of servers with DOT capabilities.


Thank you. I will add them to the list.



OJ said:


> The easy way out is to run your own resolver.


That would not work : they would intercept the requests and redirect them to their own server. Using unconventional port numbers on the server might help though.


----------



## Deleted member 9563 (Feb 7, 2019)

hukadan said:


> That would not work : they would intercept the requests and redirect them to their own server. Using unconventional port numbers on the server might help though.


There is no way they can tell what's in the encrypted stream if you run your resolver elsewhere. They don't see port 53 requests.

The way to do it is you run OpenVPN on your machine or router, and then you run OpenVPN as a server somewhere else like a VPS, and on that server you also run your resolver. I do it and it works very well for me. I'd be very surprised if my ISP could see what I was doing. 

You can get cheap virtual servers nowadays. I've got a really good one and it costs $15 per year. (in case you were not up-to-the-times on cheap servers)


----------



## hukadan (Feb 7, 2019)

OJ said:


> then you run OpenVPN as a server somewhere else like a VPS



Sorry, I missed that part of your setup. I am still only half awake.


----------



## hukadan (Feb 7, 2019)

I wish I was wrong. Believe me, I know how to change my default DNS. Beside I am not the only one to report the problem. The funny thing is that I set up a server which I knew did not provide DNS services. Then I used drill(1) to ask this very server to resolve an address... and I got a DNS response. I guess you can try with any routable address.

You can see previous complaints in different places :

__ https://twitter.com/i/web/status/896718729693855744On their forum : https://forum.bouyguestelecom.fr/questions/1617015-bouygues-mobile-force-propres-dns
Elsewhere : https://davenull.tuxfamily.org/mitm-as-a-service-3g-edition-by-bouygues

--- Edit ---


> And frankly.... if such stupid thing was really true (what is according to me wrong), just go to ISP "Illiad Free".


I can't. I am in a remote location where only the Bouygues 4G network works decently. I am stuck with them for now. The fiber is supposed to be available by the end of the year.


----------



## obsigna (Feb 7, 2019)

hukadan said:


> I wish I was wrong. Believe me, I know how to change my default DNS. Beside I am not the only one to report the problem. The funny thing is that I set up a server which I knew did not provide DNS services. Then I used drill(1) to ask this very server to resolve an address... and I got a DNS response. I guess you can try with any routable address.
> 
> You can see previous complaints in different places :
> 
> ...



Since this seems to be a wide spread issue of Bouygues Telecom, and since the company doesn’t seem to respond to customer’s complaints in a satisfactory manner, you might want to report the DNS interception directly to the CNIL - see: https://www.cnil.fr/fr/agir


----------



## hukadan (Feb 7, 2019)

obsigna said:


> you want to report the DNS interception directly to the CNIL


I sent them a message this morning and told them that I would fill a complaint to the CNIL if they did not provide an answer. I give them until the end of the week.


----------



## hukadan (Feb 7, 2019)

Wozzeck.Live said:


> To override the automatic DNS settings at DHCP process, it is just required to write a little script on the FreeBSD


Sorry, I missed that part of your post. You do not need any script to do that. You can use the _supersede_ option in the /etc/dhclient.conf (see dhclient.conf(5)).


----------



## obsigna (Feb 7, 2019)

hukadan said:


> I sent them a message this morning and told them that I would fill a complaint to the CNIL if they did not provide an answer. I give them until the end of the week.


Perfect!


----------



## tommiie (Feb 7, 2019)

Why not switch to a different ISP?


----------



## hukadan (Feb 7, 2019)

I will quote myself 


hukadan said:


> I can't. I am in a remote location where only the Bouygues 4G network works decently. I am stuck with them for now. The fiber is supposed to be available by the end of the year.


----------



## tommiie (Feb 7, 2019)

Sorry. I missed that.


----------



## hukadan (Feb 7, 2019)

If there was any doubt left, it is gone now. In these two old tweets, they explain that they intercept DNS requests in order for them to help people when their phones are misconfigured. \0/

Now, I just have to wait for their response concerning the GDPR compliance of such interceptions.


----------



## Crivens (Feb 7, 2019)

getopt said:


> Sounds like a cover story for hiding what not could be told on public without a damage for the company.


Like one of our clowns-in-office once said about shady things done "for the good of the citizens" : "a truthful answer might make the population feel uncomfortable".

So maybe this is state mandated by chance.


----------



## hukadan (Feb 7, 2019)

Crivens said:


> So maybe this is state mandated by chance.


They are the only one to do that to my knowledge. They are encouraged by our government to implement DNSSEC which is, as far as I understand DNSSEC, incompatible with such a kind of interception (it is what allowed me to notice it in the first place).


----------



## Crivens (Feb 7, 2019)

Which kind of proves that there is a way down from any place.
edit: apropos dangerous Clown...


----------



## hukadan (Feb 18, 2019)

Just a quick follow-up for those interested. Having received no answer from my ISP, I reported the situation to the ARCEP which is a french governmental agency in charge of the net neutrality (not to the CNIL as initially planned - may be later depending on what happens). I just have to wait/hope for a reply now.


----------



## Polyatomic (Feb 19, 2019)

My lord, it is awfully kind of you to document the struggle against  the  ISP's  daily greyness. I would like to chime in to show support only and, I will not interfere. Your endeavor has been splendid, absolutely splendid.


----------



## Deleted member 9563 (Feb 19, 2019)

hukadan this is indeed a noble fight. DNS hijacking is a serious problem and we should not accept it anywhere.


----------



## aht0 (Mar 2, 2019)

Any updates?


----------



## hukadan (Mar 3, 2019)

Nope. Bouygues Telecom said they would call me back, but they did not. As for the ARCEP, I received an e-mail saying that my report had been registered without giving any reference so I cannot check if it has been processed or not. I am not even sure that they will do something. And if they do, I am pretty sure that it is a rather long process.

I am a bit disillusioned though. Doing some research, I realized that it was a rather common practice. You just have to go to the Wikipedia page related to DNS hijacking to lose faith. When I speak to people I face mostly the two following reactions :

"What is a DNS?" ; or
when they know or I explained it "So what?"
In the mean time, I switched to DoT.


----------



## Michael-O (Mar 3, 2019)

I would call straight the data compliance officer of the company and complain to CNIL. This behavior isn't a joke and *must* be fined.


----------



## hukadan (Mar 3, 2019)

Michael-O said:


> I would call straight the data compliance officer of the company


I don't have his/her phone number. But I sent an e-mail when I realized they where doing DNS interception. He/She did not reply.



Michael-O said:


> complain to CNIL


A friend of mine is a lawyer and she knows one or two things in personal data regulation. I see her in two weeks so I will ask her some questions before complaining to the CNIL.


----------



## ezraimanuel (Mar 3, 2019)

hukadan said:


> Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:
> 
> ```
> forward-zone:
> ...


Hello, I had simliar issue but all is well now. I use dnscrypt-proxy2 with unbound. install dnscrypt-proxy2 from pkg, and set forward-addr to your dnscrypt-proxy listening IP. don't forget to set your resolver to your unbound IP. I hope this works for you.
This is my config:

```
sockstat | grep dnscrypt
_dnscrypt-proxy dnscrypt-p69910 4 udp4 127.0.0.1:5353     *:*
_dnscrypt-proxy dnscrypt-p69910 6 tcp4 127.0.0.1:5353     *:*
_dnscrypt-proxy dnscrypt-p69910 7 udp6 ::1:5353           *:*
_dnscrypt-proxy dnscrypt-p69910 8 tcp6 ::1:5353           *:*

cat /usr/local/etc/unbound/forward.conf
forward-zone:
        name: "."
        forward-addr: ::1@5353
```
1 more thing, don't forget to set your ISP DNS server as fallback resolver in your /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml:

```
fallback_resolver = 'your_ISP_DNS_IP:53'
```


----------



## hukadan (Mar 3, 2019)

Thank you. But DNS over TLS is more than enough . The problem lies elsewhere : they should not be allowed to do that in the first place.


----------



## hukadan (Mar 18, 2019)

A quick follow-up. I saw my friend lawyer and she told me that my ISP has a delay to provide an answer to my request. If you are living in France, here are the details. Basically, they have one month to reply or inform you that they need a time extension of two months. The funny thing is that my ISP replied to my email one month minus one day to inform me they needed more time (I cannot refuse). She also told me that I had to wait for the time limits to expire (in approximately two months) before going to the CNIL. Her opinion is that they seem to violate the GDPR, but we have to wait for their answer to be sure. To be continued...


----------



## hukadan (May 7, 2019)

I finally got an answer. They say "_nous souhaitons vous rassurer sur le fait que les DNS ne procèdent à aucun traitement de données personnelles_" which roughly translate as "we want to reassure you about the fact that our DNS do not process any personal data". Since I consider my requests as personal data, I can't see how it can be true. They also mention their intention to reconsider their DNS policy.

Now that I have an answer from them, I can complain to the CNIL.

To be continued...


----------



## Michael-O (May 20, 2019)

Please read this or have it translated: https://www.golem.de/news/t-online-...-hijacking-nach-strafanzeige-1905-141370.html

A user filed a compliant with the prosecusion against Deutsche Telekom. They did what you did -- and they had to stop it. It violated German law: illegal data manipulation


----------



## k.jacker (May 20, 2019)

Thanks Michael-O for sharing. Good to see that it's possible to stop big companies from doing so.
Let's hope that it turns out positive for hukadan, too. I'm sure it will.


----------



## D-FENS (May 20, 2019)

Why should it be illegal to use whatever DNS server you want? If so, this would be quite a stupid jurisdiction to live in.
I cannot imagine any other reason for such a law, except for the government to spy on you when they please.



hukadan said:


> Trying to solve a DNSSEC problem, I just found out that my ISP (Bouygues Telecom) intercepts any DNS request and uses its own server to answer. The only way to get around this is to use DNS over TLS. Have you ever experienced such a situation ? I am certainly naive, but I thought such a thing was not legal. For those who face the same situation, here is the corresponding /var/unbound/forward.conf file:
> 
> ```
> forward-zone:
> ...


----------



## Deleted member 9563 (May 20, 2019)

roccobaroccoSC said:


> Why should it be illegal to use whatever DNS server you want? If so, this would be quite a stupid jurisdiction to live in.
> I cannot imagine any other reason for such a law, except for the government to spy on you when they please.



What post or idea are you referring to?


----------



## scottro (May 21, 2019)

See hukadan's post.  (The one two posts above mine, one above yours, where they are quoted.) He had thought it was illegal.  Though it wouldn't shock me if they had a rule against it buried in a terms of service on page 72, I doubt they'd be able to enforce it.


----------



## Deleted member 9563 (May 21, 2019)

Thanks for helping my old eyes scottro 

So yes, I think he is not too far off in calling it illegal in the context of newer privacy regulations. I'm not sure if browsing history is considered personal information in all jurisdictions, but if it is there will certainly be applicable laws. 

Personally, I use a VPN (my own) as a matter of principle and not immediate practicality, as in the OP's case. To me, no ISP should have access to such detailed everyday personal information, regardless of whether they're currently using it, or what they're using it for. In this particular case, they've already admitted to "using" it to "help" people.


----------



## hukadan (May 21, 2019)

roccobaroccoSC said:


> Why should it be illegal to use whatever DNS server you want?


No you misunderstood (or I wrote bad English). I thought it was illegal to do DNS interception. And for the record, I have yet to find out. I think I will be able to file a detailed complain before the CNIL by next week.


----------



## hukadan (May 21, 2019)

Michael-O said:


> Please read this or have it translated


From what I understand, they not only intercept DNS but also redirect users asking for nonexistent URLs. In that sense, they manipulate DNS records. My case is slightly different since, to my knowledge, they still provide correct answer to DNS requests (with broken DNSSEC). I am not saying the legal status of "data manipulation" does not apply in my case, but I am not sure it does either.


----------



## D-FENS (May 21, 2019)

hukadan said:


> No you misunderstood (or I wrote bad English). I thought it was illegal to do DNS interception. And for the record, I have yet to find out. I think I will be able to file a detailed complain before the CNIL by next week.


Oh, ok. I would not necessarily classify DNS interception it as illegal. It might be done for caching and performance reasons or others. What would be illegal is for the provider to log your DNS requests (spying) or change the outcome of the queries.
If they break your secure DNS connection, that for sure is weird. Imagine your provider turning your HTTPS connections into HTTP. They're not allowed to do that, it's a man in the middle attack.
You could call them and ask.

With that said, DNSSEC is quite new and they might still be having technical difficulties implementing (or ignoring) it. Especially if they did some DNS caching tricks for performance. I would give the provider the benefit of the doubt and clarify what's actually going on.


----------



## hukadan (May 21, 2019)

roccobaroccoSC said:


> I would not necessarily classify DNS interception it as illegal.


What could be illegal it is them doing it without you knowing. I asked them to show me where it was mentioned on the contract, but they failed to provide such information. I know from Mastodon that at least someone else came across the same problem and intend to file a complain. But he has to wait for the three months delay to do so.


roccobaroccoSC said:


> I would give the provider the benefit of the doubt and clarify what's actually going on.


According to the GDPR, they had three months to clarify and they did not.


----------



## D-FENS (May 21, 2019)

You could try and sue them, which could cost them dearly if they indeed violate the GDPR.
I would not expect however the companies to reveal all technical details to the customers. Probably 99% of the customers are completely ignorant about what DNS is, so there's no point in exposing the technical details to them.
There can be legitimate reasons to alias DNS servers, as well as illegitimate ones.
But overriding a public IP address with an own one is very smelly and you should probably talk to them and request an explanation. The contract probably obligates the provider to provide Internet access, so you need access to all public IPs. They should not be overridden.


----------



## PMc (May 21, 2019)

hukadan said:


> From what I understand, they not only intercept DNS but also redirect users asking for nonexistent URLs. In that sense, they manipulate DNS records. My case is slightly different since, to my knowledge, they still provide correct answer to DNS requests.



That depends on what you define as "correct answers". If my friend and I decide to run whatever specialized service between our specific machines on port 53, we should be able to do this. In such case, the correct answer can certainly not be provided if this connection is re-routed to an entirely different server.
In such a case I would open a ticket for service outage, wait until the 97% contracted availability have passed (i.e. 11 days), and then cease payment with a written note that no activities to end the service outage could be observed.


----------



## Deleted member 9563 (May 21, 2019)

PMc said:


> That depends on what you define as "correct answers". ...



Indeed. We're not all ICANN fans. There are alt-root servers and some people won't be able to reach the sites they expect with the OP's ISP unless they tunnel past them. And of course that's what a lot of people do.


----------



## ronaldlees (May 22, 2019)

Did they object to his complaint to authorities and then pulled the plug on him?  I suppose we'll need to wait until he gets fiber to find out, assuming it's not a related ISP  :-(

I think this is common practice (hijack) - so he may not find a more privacy-embracing ISP.  He probably should just have taken OJ's advice.


----------



## hukadan (May 22, 2019)

PMc said:


> That depends on what you define as "correct answers"


I consider to be a "correct answer" an answer that is identical to the information published by the zone owner.


ronaldlees said:


> Did they object to his complaint to authorities and then pulled the plug on him?


Don't worry, I am still plugged .


ronaldlees said:


> He probably should just have taken OJ's advice.


For the record, I am no more affected by their DNS interception (I made it clear in my first post on this thread) since I use DoT, but I feel concerned by the subject.


----------

