Using BT Internet - BE AFRAID!

madpenguin · 7 February 2014 16:18

Disclaimer :: this information is just my technical opinion, however the basic facts have been confirmed by BT technical support.

Why?

When you make a DNS request through BT, BT intercepts the request at packet level, by this I mean it intercepts requests made on UDP port 53. It then services those requests using their own DNS servers, and returns the result to you, while pretending to be the nameserver you were wanting to or expecting to query.

Why is this a problem?

BT are effectively censoring which domains you are allowed lookup and hence which websites you can visit, while at the same time advertising “totally unlimited broadband”. I guess you could exclude this reason if you’re cool with BT telling you which parts of the Internet you can look at.

Secondly, it appears that their filtering system doesn’t always work as expected and it filters sites ‘unexpectedly’, indeed it can prevent you from looking at some sites, even tho’ BT are not explicitly trying to block them.

Thirdly, it appears that VERY few people inside BT actually know this is happening, let alone know how this is happening or what makes the filtering tick. So, what happens if the Syrian Electronic Army hijack BT’s DNS servers? What happens if one of BT’s DNS servers gets corrupted (it can happen!) and starts giving out the wrong results?

But what if I want to directly query a DNS server, like Google on 8.8.8.8?

You can’t.

The really scary bit …

BT think they can filter the Internet without telling anybody.
BT think that spoofing replies from other peoples servers (without telling anyone or seeking permission from either server or client) is “Ok”.

I asked a question earlier of someone inside BT who I thought competent to provide an accurate answer, it was;
“If BT, or someone inside BT decided to spoof an entire site by redirecting the DNS to a copy of the site that had been modified or censored in some way, how would I as a customer be able to tell?”

The answer;
“Erm, I guess you wouldn’t …”

And the followup …

If something like this happened, how many people inside BT would be capable of spotting it (if they were looking for it) ??

The answer;
“very few”

BT Customer … Not afraid yet?

Next time you look at a website, consider that the process of converting the domain name you requested to an internet address, as performed by your browser, has been interfered with and the site you are looking at is the site BT have directed you to, which may or may not be the site you requested.

Sure, brush it off … but next time you log into your online banking and it tells you that you’ve entered the wrong password, remember this post!

Caveat :: this appears to be something new BT are doing to broadband connections taken out after the middle of December 2013, or at least for the moment, so if you have an older line, you may not have this issue … yet.

chemicalfan · 7 February 2014 16:42

Networking is major knowledge blind-spot for me, but would using an encrypted VPN mitigate against this? How about Tor? Or some kind of static proxy/hostname file?

madpenguin · 7 February 2014 17:33

Absolutely. When you use a VPN (or Tor), your traffic is effectively wrapped up and passes through the Internet as anonymous data, and is only unpacked and “decipherable” when it reaches it’s destination. So if you make DNS queries (on UDP/port 53) via the VPN, BT sees VPN data, and not DNS data, hence it won’t touch it.

It’s somewhat ironic that the actions of BT (and others) is likely to promote the use of Darknets, which will make it more difficult (by orders of magnitude) for them to control (let alone monitor) what their customers are doing.

Nothing like shooting one’s own foot off to exhibit the true nature and competence of one’s executive decision makers!

Mark_Greaves_PCNetSp · 7 February 2014 19:08

It’s not just BT, it’s ALL major UK ISP’s … they’ve ALL been forced by the government and high courts to implement filtering

IIRC, BT were actually the ones that fought it for as long as was possible (Newzbin 2)

The technical measures used to block sites include DNS hijacking, DNS blocking, IP address blocking, and Deep packet inspection, making consistent detection problematic. One known method is ISP scraping DNS of domains subject to blocking orders to produce a list of IPs to block.[9]

Yet ANOTHER case of one law for us, and another for them (?)…
(I’m pretty sure they’d prosecute the hell outa you for DNS hijacking)

madpenguin · 7 February 2014 22:36

Question;
“So what does a court order instructing you to block a website have to do with BT messing with DNS requests?”

“BT’s (pretend) answer - to stop people getting to those websites”.

But;

It doesn’t stop anyone from getting anywhere, it stops people from being able to resolve domain names to IP addresses.
If you know the IP address you can still get there.
If they use an alternate domain name, you can still get there.
So if BT just mess with DNS queries, they are physically failing to comply with court order to block certain sites.

The ONLY way to effectively block a given site is to block all traffic to either a specific IP or to a range of IP’s.
This can be done 100% reliably in a matter of seconds, whereas messing with DNS queries on the other hand is very complex, they ARE getting it wrong and breaking internet access.

So, my next question;

Why are they doing something very difficult and very unreliable, in preference to something very easy and very reliable ???

I’d be fairly sure that a court wouldn’t specify a method (it wouldn’t be competent to), and indeed given a choice would choose the 100% reliable method … So … ?!

Mark_Greaves_PCNetSp · 8 February 2014 14:20

OK, let me modify my original response … it was originally the governments idea, forced in court … but I have no doubt that once forced the major ISP’s sat down (probably together) and thought - OK, we’ve been told to do this, how can we do it in a way that benefits us and/or gives us maximum scope for future misconduct, where if push comes to shove we can say “they told us to do it”.

I have no proof, but I have a feeling Sky are also DNS hijacking/redirecting.

Although it wouldn’t surprise me to find GCHQ aren’t involved somewhere along the line (literally).

That’s one of the problem with the country … any new piece of legislation immediately gets shoved into departmental and corporate think tanks to see how far it can be twisted out of it’s original context to suit their agenda.

I remain amazed people haven’t kicked up a stink about this kinda behaviour … if the postman turned up at your door and proceeded to open and read your mail before giving it to you, or at will the police set up roadblocks around the newsagent because there was something in the paper the government disagreed with … people would be up in arms.

Too busy with candy crush saga to notice I guess :

madpenguin · 8 February 2014 15:55

or at will the police set up roadblocks around the newsagent because there was something in the paper the government disagreed with

Mm, this is what’s currently happening online … and no response from the people … what can I say … “Baahh”.

"they told us to do it"

Absolutely - that’s their excuse for doing it, but my point is that what they’re doing is actually nothing to do with legislation or being forced to do it …

If you want to test the Sky theory, it’s relatively easy;

Set up a nameserver (package: bind9) on your VPS
Amend the config so it listens on the public IP ( add listen-on 0.0.0.0 in the config )
On your vps do; “tcpdump -n port domain and host ”
Then from your home PC do;
dig @ www.linux.co.uk

If the query is getting through, it’ll show on the tcp dump. If you get an answer back and nothing appears on the tcpdump, then something else answered in place of your server … i.e. spoofed the result.

— this is a workind bind9 /etc/bind/named.conf.options —

options {
directory “/var/cache/bind”;
allow-recursion { 127.0.0.1; };
allow-query { any; };
allow-query-cache { any; };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
querylog true;
check-names master ignore;
check-names slave ignore;
dnssec-validation yes;
};

mburnside · 8 August 2014 14:10

Just found this post whilst trying to find out why BT seems to be dropping connections to a lot of the DVR’s I fit at the moment.

A lot of the things here seem to be the exact problems I’m experiencing. We use a service called dvrlink.net and every few days BT customers using the DDNS service don’t seem to be able to connect until they manually restart the DVR which I’m guessing is forcing the DDNS through somehow.

If anyone had a minute to maybe comment on this I would be really appreciative.

M

Mark_Greaves_PCNetSp · 8 August 2014 15:01

I take it the DVR is on a static IP outside the routers DHCP pool ?

Does restarting the router without restarting the DVR make any difference ?

mburnside · 8 August 2014 15:37

Yeah it’s on a static IP outside the pool.

Restarting the router didn’t help at all in some cases but brought the service back in others.

Thanks for your reply I’m pulling my hair out with this one.

Mark_Greaves_PCNetSp · 8 August 2014 16:40

I take it the DVR has a some kind of built in updater for the DDNS service … does it generate any log files ?

when the connection appears to have dropped, are you from a local PC able to ping dvrlink.net by both IP and hostname

and are you (again locally) able to ping the the DVR by both IP and hostname

is BT (as the IS) the only common factor … or are they all Infinity, or all the same HomeHub model ?

mburnside · 11 August 2014 08:02

I’ll try the pings and see what I can find out.

It seems to be across different BT routers actually. The problem also seems to have reared its head on Talk Talk connections and Sky but not one from Virgin customers at present.

Regards

M

chemicalfan · 11 August 2014 09:00

Might be worth running a traceroute as well as ping, to see where the connection is lost (i.e. does it even make it past the ISP?)

mburnside · 11 August 2014 12:04

This is a current trace of a site that is down right now. I can not ping the ddns name there and this is one of the BT customers. I have just spoke to the customer and I guarantee within 20 minutes when he’s rebooted the DVR it will be back on.

[b]81.139.135.74 is from United Kingdom(UK) in region Western Europe
TraceRoute from Network-Tools.com to 81.139.135.74 [slackwoodhouse.dvrlink.net]

Hop (ms) (ms) (ms) 1 0 0 0 2 0 0 0 3 32 33 33 4 Timed out 39 35 5 Timed out 6 162 134 136 7 127 124 124 8 136 127 134 9 142 141 137 10 129 141 132 11 138 138 142 12 137 137 137 13 144 149 145 14 152 150 150 15 138 143 136 16 146 139 138 17 135 136 135 18 Timed out 19 Timed out 20 Timed out 21 Timed out Trace aborted.
[/b] IP Address Host name
129.250.202.253 xe-0-4-0-12.r01.dllstx04.us.bb.gin.ntt.net
129.250.2.10 ae-1.r20.dllstx09.us.bb.gin.ntt.net
129.250.3.50 ae-3.r20.asbnva02.us.bb.gin.ntt.net
129.250.4.5 ae-0.r21.asbnva02.us.bb.gin.ntt.net
Timed out 126 129.250.2.145 ae-2.r23.amstnl02.nl.bb.gin.ntt.net
129.250.4.125 ae-0.r22.amstnl02.nl.bb.gin.ntt.net
129.250.5.197 ae-5.r23.londen03.uk.bb.gin.ntt.net
129.250.6.55 ae-7.r00.londen10.uk.bb.gin.ntt.net
82.112.101.74 -
166.49.214.173 166-49-214-173.eu.bt.net
62.6.201.228 core4-te0-2-0-12.faraday.ukcore.bt.net
109.159.249.172 acc2-10gige-0-3-0-2.l-far.21cn-ipp.bt.net
109.159.249.217 -
217.41.168.108 -
217.41.168.204 -
213.120.177.101 -
213.120.178.148 -
Timed out Timed out -
Timed out Timed out -
Timed out Timed out -
Timed out Timed out -

Any help appreciated.

M

Mark_Greaves_PCNetSp · 11 August 2014 13:12

Were you able to ping dvrlink.net by IP address, where pinging by domain name failed ?

If so, do these DVR boxes have a hosts file ?

chemicalfan · 11 August 2014 13:16

Hmm, I’m gonna guess that traceroute isn’t that useful under a DDNS
Sorry for the wasted time!

mburnside · 11 August 2014 13:49

Could not ping the IP address either.

It is back up now too so can do no more checks at the minute. Seems so odd, I’m really not sure if the DVR uses a host file.

Thank you all by the way, much more help here than BT forums.

M

mburnside · 11 August 2014 14:02

Another thing I will note is that we have also tried other 3rd party DDNS services with the same results and tried using various ports.

So strange that the DDNS is solid on Virgin but flakey on BT, TT, Plusnet and Sky. Someone at Sky actually said that the service they offer is purchased for cheap from BT too to sell on at a premium for their customers.

Nothing has changed in the manufacturing of the DVR either and this only started occurring within the last 6 months.

Mark_Greaves_PCNetSp · 11 August 2014 16:18

Next time it drops out, might be worth running

nslookup slackwoodhouse.dvrlink.net

and checking the IP held by the nameservers actually tallies with the current WAN IP of the router the DVR is connected to

mburnside · 12 August 2014 09:19

Got this one at the moment.

http://peaches.dvrlink.net:6200

Ping comes back dead and so does the nslookup for the URL. When checking on Network Tools.net it comes back with the IP address 2.28.180.239 which at present I can only assume this is cached to the URL and actually the old IP address being kept by the URL. When trying to ping or nslookup that IP address I get the same results.

This one is actually on EE broadband which again is one which we have had some issues with. From here on I have advised my client to re-apply the DDNS page which generally forces through the new IP to the URL. This should be getting done this evening so I have a downed connection to look at for most of the day if there is anything else I can check.

Thanks again!

M