«
»

Active DNS filtering at DTAG?

Published July 1st, 2009.

Today, I’ve found some strange behaviour on my TDSL Business connection. Some DNS queries are being dropped at the routers of Deutsche Telekom and I wonder if this is a malfunction with their Internet filters. When I query random name servers using “dig www.google.com any”, those packets never reach their destination. I’ve asked for confirmation on IRC and it looks like others perceive the same odd behaviour.

I’ve investigated this a little bit and found that it is only port 53/udp that is being affected; doing dns queries over port 53/tcp is working fine. Thus, it looks like they are using some deep packet inspection at their routers as only special dns queries are being dropped. Can someone else confirm this odd behaviour?

This entry was posted on Wednesday, July 1st, 2009 at 1:57 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

  • Hi,

    I got the same problem, did you find a solution?

    It seems to me that all SOA reqests are filtered out, something like

    host -t SOA google.de 8.8.8.8

    just does not work over T-DSL while it works perfectly elsewhere.

    Schlomo
  • UDP is not reliable. So why should they do "deep" PI on UDP packets but not on TCP's?

    Sounds weird.
  • That brings up some scary prospects of Zensursulars filter.
    The world is bragging that these dns filters are so easy to circumvent.

    Which is not entirely true, since DNS is perfect for transparent proxying. Just take everything that goes out on port 53/UDP and let your infected/censored/evil DNS answer the request.

    It might be entirely true that they will destroy our internet infrastructure to enforce some absurd censorship law.
  • I've just found this article [ http://netzpolitik.org/2009/nominum-die-firma-hinter-der-zensursula-infrastruktur/ ], which basically states that the DNS filtering is based upon spoofing DNS replies.
blog comments powered by Disqus