Who's got visible projects looking to detect this from various points/regimes on the internet? (University of Toronto's IXMaps group whom I advised a few times over the years did something similar for routes, not that BGPlay isnt out there, but they translated it into human as a sociology project - borne of the Carnivore era. https://www.ixmaps.ca/ ) Im glad no one said Namecoin yet. Oops. /kc On Thu, Mar 29, 2018 at 04:26:47PM +0000, Baldur Norddahl said:
Technically, tweaking your DNS resolver to lie (and/or to log) is much easier and faster (and waaaaay less expensive) than setting up a packet interception and rewriting device at line rate.
It is just a static /32 route for well known DNS resolvers to the ISP resolver. It is free and trivial. To make your resolver reply with the correct IP you simply add all the well known /32 addresses to the localhost interface.
To get any service instead of just well known ones, you can use source routing based on the port nummer 53. Direct this to a Linux server that will NAT the traffic towards the ISP DNS. This is also trivial and free, provided your routers support source routing (ours do).
Detectable yes, but also hard to escape for the average user. They will need to go full VPN. Running your own resolver will not work.
Regards
Baldur
-- Ken Chase - math@sizone.org Guelph Canada