Post navigation

DNS, iOS

DNS hijacking by some mobile carriers

Some of our users reported that DNS Override feature works properly with Wi-Fi networks, but it doesn’t affect the cellular connection as expected.
In most cases this is caused by the fact that the mobile operator is performing DNS hijacking. This means that DNS Override app does his job properly and the DNS queries are targeting DNS servers selected by the user, but the ISP is then intercepting this traffic and forcing DNS resolution using it’s own DNS resolvers.

We would like to start collecting information on ISPs who perform DNS hijacking, so we can inform our users about this problem.

If you have information on mobile networks who hijack DNS requests, please let us know in the comments below. We’ll update our list accordingly. Please post the name and country of origin of the ISP / mobile network.

Below you can find information if selected mobile networks hijack DNS requests:

Country Mobile network DNS hijacking Comments
Australia Optus YES (MCC 505, MNC 02/90)
Denmark H3G NO (MCC 238, MNC 06)
Norway Telenor NO (MCC 242, MNC 01/12)
Indonesia PT. Excelcom YES (MCC 510, MNC 11)
US AT&T YES (MCC 310, MNC 410)
US T-mobile YES (MCC 260, MNC 310)
US Verizon YES
Poland Play NO (MCC 260, MNC 06/07/98)
Poland T-mobile NO (MCC 260, MNC 02/34)
Poland Plus NO (MCC 260, MNC 01)
Poland Orange NO (MCC 260, MNC 03/05)
Singapore M1 NO (MCC 525, MNC 03)
Singapore Singtel NO (MCC 525, MNC 01/02/07)

About Tomasz Koperski

CTO at @FutureMindLLC, founder of @AdBlockiOS, @WeblockApp, @DNSOverride

21 thoughts on “DNS hijacking by some mobile carriers

  • Hi! Claro in Guatemala uses DNS hijacking, I really love your product, so when do you estimate the hijacking is going to be resolved?

  • For users of filtering software like OpenDNS FamilyShield (or whatever), can you confirm that the intended DNS is not reached at all when ISPs do the “hijacking”? In other words, if DNS Override is used for internet filtering, will it still work?

  • 1) Have you guys resolved this ISP hi-jacking issue yet (your last comment on this was from 2017 Jul 30)? I’m using AT&T (MCC 310, MNC 410) and would happily pay the $2 if your app can help me use OpenDNS FamilyShield.
    2) Is it $2 per device or per iTunes account?
    3) Will your app works on iOS 11? And the new iPhone 8 & X?

    • Hi Henry,

      answering your questions:
      1) Still work in progress, but we will deliver this soon.
      2) It’s per Apple ID, you can use the in-app purchase on any number of devices attached to the same iTunes account.
      3) Yes it does work with iOS 11 and any device supporting it.

      Cheers!

  • I’m feel mislead. This app claims to override your dns for mobile networks, however, ATT, Verizon, and T-Mobile all prevent the app from using it. If this is the case, there should be a warning in the description or at least before I purchased the upgrade (I’m on T-Mobile) for United States users that purchasing the dns override add on will likely not work. Any chance I can get my $2 back?

    • Hi Matt. I’m sorry that you’re disappointed with our app. It’s not like the override didn’t succeed on your device, the packets are surely leaving your phone address correctly. This practice of hijacking DNS packets by ISP is something we can’t do much about. We are working on a version which will allow evading DNS hijacking by switching to a non-standard DNS port – some major DNS providers actually run their DNS on higher ports like 1053 or 5353. This way we might be able to go around hijacking done by major US telecoms. In the meantime, if you prefer – please contact Apple for a refund. I hope you’ll consider purchasing DO again when the hijacking evasion is available.

      • Very disappointed that you include anything from Yandex which is one of many companies that helps other companies track everything you do on web pages using their Javascript package (Princeton study). Comodo is either clueless about security or doesn’t care (c.f.: SecurityNow).

        And lastly, with T-Mobile in the US, I don’t have any hijacking. I just have nothing. I’m not going to pay when you say it doesn’t work just to test if it does actually work as you say it does not. It appears to me you have put the user’s config first in the server search list but did not (cannot) remove the DHCP/carrier config. So, any DNS lookup is blocked unless through a VPN tunnel. That block causes the OS to fall to the lower one, which is the carrier. My tests with my phone using my iMac:
        nslookup dnsoverride
        gives address and server (my ISP)
        turn on Personal Hotspot on phone and connect iMac to it.
        nslookup dnsoverride.com
        give address and server (my phone’s private NAT IP (172.20.x.x). Now the fun:
        nslookup dnsoverride.com 9.9.9.9
        –> times out. Tells me that the traffic is just blocked because I’m in full control of my iMac’s network config (and can see there’s a NAT and expect the carrier to take over when it leaves the phone). Of course, hooked to my home’s ISP, the above command is fine (and quick)

        I cannot prove that your app is or is not doing anything, of course.

  • Sadly, some ISPs really do whatever they want…

    But thank you guys for you app! Helping people to have simple tools to make their connected life more secure is something definitely important nowadays.

  • One way to by pass this would be to use dnscrypt-proxy but it needs real work. By the way, M1 in Singapore is not hijacking DNS.

    Regards,

      • We’re looking at possibility of switching to different port (ex. 5353 instead of 53). This will not be possible with most of the listed profiles. If iOS would allow changing the port for DNS, you could probably escape ISP DNS hijacking. You would still need a DNS server running on a non-standard port.

Leave a Reply

Your email address will not be published. Required fields are marked *