How Did This Happen? DNS Question.

Elmer

Senior Member
AX88 with 386.8 B2: So, I was just checking things after upgrading to Beta2 and I have these DNS servers listed (along with the cloudflare I expected) when doing a leak test.
203.17.244.34NoneGSL Networks PtyAmsterdam, Netherlands
203.17.244.36NoneGSL Networks PtyAmsterdam, Netherland
I am running DoT with cloudflare and quad9 (both IPV4 and IPV6 (native AT&T IPV6) and using DNSfilter set to Router. DNSSEC test showed good. I have the cloudflare DNS IPV6 set on the IPV6 page. I have no running VPNs. 'GSL Networks' has a shady online presence. How could this have happened? Could it be a network device running a vpn on it's own?
 
Last edited:

Elmer

Senior Member
Never mind. I'm in the middle of switching to another ISP and was actually able to switch from ATT to the other ISP. Once on the other ISP, those entries disappeared and I'm seeing only what I expected. I'm in passthrough mode on the ATT router, and maybe leaks on the 192.168 address it provides to the Asus router. I would assume it's coming from some rogue app on an Android/IOS phone/tablet that does it's own little network discovery.
 
Last edited:

Elmer

Senior Member
Gets even odder:
------------------
Quad9 utilizes multiple network providers in our global network. When running a DNS leak test, or determining the IP address which is used to perform the recursive DNS query using a test like:

dig +short A whoami.akamai.net
it's expected to see IP addresses owned by the following providers:

WoodyNet (AKA PCH.net)
PCH.net
GSL Networks
i3D
EdgeUno
Equinix Metal (FKA: Packet, Packet.net, or Packethost)
These organizations are also listed on the Sponsors page of the Quad9 website: https://quad9.net/about/sponsors
If you are trying to simply determine if you are using Quad9, you can visit https://on.quad9.net instead of relying on a DNS leak test. However, a DNS leak test can be useful to ensure you're exclusively using Quad9, which is required to ensure that all of your DNS requests will be protected by Quad9.

--------------------
and:
____________
GSL Networks Pty LTD is a medium fraud risk ISP. We consider GSL Networks Pty LTD to be a potentially medium fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a medium risk of being fraudulent. Other types of traffic may pose a different risk or no risk.
(GSL Networks Pty LTD - Fraud Risk - Scamalyticshttps://scamalytics.com › isp › gsl-networks-pty-ltd)

____________

Switched back to ATT and sure enough GSL Networks was there in a deep scan. Deleted Quad9 from the DoT list and GSL Networks was gone. Why in the world would Quad9 associate itself with a scammy ISP? I still don't understand why the DNS scan using the alternative ISP did not show GSL Networks - it merely showed cloudfalre and woodynet. DNS is a strange beast.
 
Last edited:

Tech Junky

Very Senior Member
They're a sponsor so they get to see some packets. I tend to stick with Google and 4.2.2.2 as they both live on my pinhole and all traffic is forced through it and the VPN injects their own on the wan side.
 

eibgrad

Part of the Furniture
As I've stated many times, there's nothing you can do about DNS once it leaves the confines of the router. All our attempts to control it through DoT, DoH, VPNs, etc., are strictly local constructs. That's why you never really have guaranteed privacy and security. You're *always* dependent on a third-party somewhere. And even those you've trusted in the past can turn to the dark side when it suits them.
 

Tech Junky

Very Senior Member
@eibgrad and this is why you layer things and not rely on just a single privacy measure.

VPN cloaks everything beyond the exit IP as several users are using the same IP just like a proxy in a company setting. When you have 1000's of people coming from the same IP and th0ree's at least 2 NAT's between the source / destination it's very difficult to track down. Hell I'm 3 NAT's away from public IP space at this point between the ISP handing a 192.168 <> Server/router hanging another 192.168 <> VPN handing a 10.5.x.x >>> random public IP for the exit point of the VPN. But even within the ISP network I'm getting converted again to / from IPV6 and potentially other mechanisms as well on top of just what I have control of.


@Elmer

DNS leaks in general though aren't all that much of a risk it's more of a privacy thing than anything else. Minor annoyances that cause more adds to show up in your spam folder at the end of the day. If you want to lock it down then you'll need to pay or setup your own DNS server and use some obscure external servers. While DNS poisoning can lead you to not get the pages you want or redirect you somewhere with infections galore I would be more concerned with the IP traffic carrying your sensitive information like logins.
 

Treadler

Very Senior Member
AX88 with 386.8 B2: So, I was just checking things after upgrading to Beta2 and I have these DNS servers listed (along with the cloudflare I expected) when doing a leak test.
203.17.244.34NoneGSL Networks PtyAmsterdam, Netherlands
203.17.244.36NoneGSL Networks PtyAmsterdam, Netherland
I am running DoT with cloudflare and quad9 (both IPV4 and IPV6 (native AT&T IPV6) and using DNSfilter set to Router. DNSSEC test showed good. I have the cloudflare DNS IPV6 set on the IPV6 page. I have no running VPNs. 'GSL Networks' has a shady online presence. How could this have happened? Could it be a network device running a vpn on it's own?

They host quad9, among others.
 

Elmer

Senior Member
Oh that's great. We have a scam artist running global security networks?
 

RMerlin

Asuswrt-Merlin dev
Oh that's great. We have a scam artist running global security networks?
They're not "running it", they are probably just hosting a local resolver within their data center.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top