Yet another Quadruple DNS?
baldur.norddahl at gmail.com
Thu Mar 29 16:26:47 UTC 2018
> Technically, tweaking your DNS resolver to lie (and/or to log) is much
> easier and faster (and waaaaay less expensive) than setting up a
> packet interception and rewriting device at line rate.
It is just a static /32 route for well known DNS resolvers to the ISP
resolver. It is free and trivial. To make your resolver reply with the
correct IP you simply add all the well known /32 addresses to the localhost
To get any service instead of just well known ones, you can use source
routing based on the port nummer 53. Direct this to a Linux server that
will NAT the traffic towards the ISP DNS. This is also trivial and free,
provided your routers support source routing (ours do).
Detectable yes, but also hard to escape for the average user. They will
need to go full VPN. Running your own resolver will not work.
More information about the NANOG