docsmooth's profile

Teacher

 • 

7 Messages

Mon, Nov 13, 2017 5:54 PM

IPv6 DNS and DNS Hijacking

I do IT Security work and have a test lab at home. I recently upgraded to AT&T Gigapower 100Mbps from AT&T Uverse vDSL 18mbps. When we were on vDSL, everything in my network ran fine.  All of the clients got their DNS from the DHCP server and pool.  When IPv6 was turned on, the AT&T router would provide RAs with the O-bit set, and my Stateless DHCPv6 server (RFC 3736: http://tools.ietf.org/html/rfc3736)  would provide the DNS server addresses and DNS search names for the internal hosts.

 

Now that we're on the upgraded Gigapower, and have new equipment, the O-bit is set, but the router is appending additional headers to the RA packet, including itself as a DNS server.

 

I need to disable that, OR tell the router to send my internal DNS servers as the DNS servers instead.  I don't see this option in the 5268AC router. 

How do I use my own internal DNS servers for IPv6?

 

Also, How do I get AT&T to disable DNS hijacking?

$ dig thisshouldnotresolve.fu @192.168.1.254

; <<>> DiG 9.10.3-P4-Ubuntu <<>> thisshouldnotresolve.fu @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10986
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thisshouldnotresolve.fu.       IN      A

;; ANSWER SECTION:
thisshouldnotresolve.fu. 10     IN      A       198.105.254.130
thisshouldnotresolve.fu. 10     IN      A       104.239.207.44

 

I *should* be getting NXDOMAIN.  AT&T keeps redirecting me to ConnectTech to pay to fix my Windows 10 install, so that's been fruitless, since it's 100% in their network and config, as far as my tcpdumps tell me.  Any assistance anyone can provide would be great.

 

PS: for those wondering what DNS hijacking is, see: https://www.wired.com/story/what-is-dns-hijacking/ and https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs - it's a security problem.

Teacher

 • 

7 Messages

5年前

att-broken.pngA cleaned up overview of my lab, in case you can't understand why someone would want to run their own DNS

Teacher

 • 

7 Messages

5年前

Beuller?

JefferMC

ACE - Expert

 • 

29.3K Messages

5年前

The 5268ac will give out its own address in DHCP requests.  There's no way to disable this behavior.  You have to park your on equipment in front of the 5268ac to intercept the DHCP requests.

 

There is an page on the myATT site where you can tell it you don't want to utilize their DNS redirection service for failed lookups.  I know because I've been there and turned the dang thing off. Log on to the account management area of https://att.com and you can probably find it.  If you can't, I'll try to locate it again.

 

 

Teacher

 • 

7 Messages

5年前

Yeah, I *have* a device in front of the 5268ac blocking the ipv4 DHCP, and my internal DHCP server works fine.

 

This is *only* a problem with IPv6.  Because AT&T only gives out /64, I have to set my cascaded router in "passthrough" mode, which means it blindly repasses all IPv6 traffic as if it weren't there...

 

So my clients pick up the router as the IPv6 DNS, and my internal servers as their IPv4 DNS, and they just get completely inconsistent DNS results.  I haven't been able to find the page -if you have it in your history still, I'd love to know the search terms.  "DNS error" and "error assist" and other combinations aren't finding anything, een when i search the whole site.  yet.

 

Thanks

JefferMC

ACE - Expert

 • 

29.3K Messages

5年前

The "feature" you're looking to turn off is DNS Error Assist.  It isn't obvious.  It's hidden under Communication preferences.  To get there I clicked on the human head shape (the unitar) and selected View Profile from the drop down menu.  Then clicked on Communication Preferences.  From there, clicked Privacy Settings.  DNS Error Assist showed up in the menu on that page.  Once it is clicked, you have to click on Manage my preferences below it.  Only then does the check box to Opt Out show up.  

Teacher

 • 

7 Messages

5年前

FYI: if you scour the error assist search page, there's an opt-out option buried in there as well, which I found at about the same time as you posted.

 

I'm still having the IPv6 DNS problem.  Looking at the router, it looks like it's implementing IPv6 via 6rd, so I'm going to try to simply move that config back to my router, and disable it on the AT&T equipment...

JefferMC

ACE - Expert

 • 

29.3K Messages

5年前


@docsmooth wrote:

... it looks like it's implementing IPv6 via 6rd, ...


The AT&T IPv6 solution is indeed a tunneling solution, so that might work.  Good luck!

 

Teacher

 • 

7 Messages

5年前

argh, the 2602 prefix is a 6rd setup, but the 2600 prefix is dual-stack IPv6, so I *can't* set up 6rd.

 

This is rediculously crazy to get working.

Teacher

 • 

7 Messages

5年前

ok, suddenly this morning on a "disable/re-enable" of IPv6 in the 5268ac, I have a /60 IPv6 network, not a /64... which means I can subnet that 4 times on my own router and... BOOM it's working, because my cascaded router can send out its OWN O flag. 🙂

1) how long will this last?

2) who changed this and why didn't I get notified?
3) now, what should I do with the other 3 networks?  hehehehe

Need help?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.