Some of our users reported that DNS Override feature works properly with Wi-Fi networks, but it doesn’t affect the cellular connection as expected.
In most cases this is caused by the fact that the mobile operator is performing DNS hijacking. This means that DNS Override app does his job properly and the DNS queries are targeting DNS servers selected by the user, but the ISP is then intercepting this traffic and forcing DNS resolution using it’s own DNS resolvers.
We would like to start collecting information on ISPs who perform DNS hijacking, so we can inform our users about this problem.
If you have information on mobile networks who hijack DNS requests, please let us know in the comments below. We’ll update our list accordingly. Please post the name and country of origin of the ISP / mobile network.
Below you can find information if selected mobile networks hijack DNS requests:
|Country||Mobile network||DNS hijacking||Comments|
|Australia||Optus||YES||(MCC 505, MNC 02/90)|
|Denmark||H3G||NO||(MCC 238, MNC 06)|
|Norway||Telenor||NO||(MCC 242, MNC 01/12)|
|Indonesia||PT. Excelcom||YES||(MCC 510, MNC 11)|
|US||AT&T||YES||(MCC 310, MNC 410)|
|US||T-mobile||YES||(MCC 260, MNC 310)|
|Poland||Play||NO||(MCC 260, MNC 06/07/98)|
|Poland||T-mobile||NO||(MCC 260, MNC 02/34)|
|Poland||Plus||NO||(MCC 260, MNC 01)|
|Poland||Orange||NO||(MCC 260, MNC 03/05)|
|Singapore||M1||NO||(MCC 525, MNC 03)|
|Singapore||Singtel||NO||(MCC 525, MNC 01/02/07)|
21 thoughts on “DNS hijacking by some mobile carriers”
Network AS3320 (Deutsche Telekom AG), Germany, does.
Hi! Claro in Guatemala uses DNS hijacking, I really love your product, so when do you estimate the hijacking is going to be resolved?
I liked the ios app. We also need it for Android.
For users of filtering software like OpenDNS FamilyShield (or whatever), can you confirm that the intended DNS is not reached at all when ISPs do the “hijacking”? In other words, if DNS Override is used for internet filtering, will it still work?
It will not work if your ISP is hijacking the DNS connection.
1) Have you guys resolved this ISP hi-jacking issue yet (your last comment on this was from 2017 Jul 30)? I’m using AT&T (MCC 310, MNC 410) and would happily pay the $2 if your app can help me use OpenDNS FamilyShield.
2) Is it $2 per device or per iTunes account?
3) Will your app works on iOS 11? And the new iPhone 8 & X?
answering your questions:
1) Still work in progress, but we will deliver this soon.
2) It’s per Apple ID, you can use the in-app purchase on any number of devices attached to the same iTunes account.
3) Yes it does work with iOS 11 and any device supporting it.
I’m feel mislead. This app claims to override your dns for mobile networks, however, ATT, Verizon, and T-Mobile all prevent the app from using it. If this is the case, there should be a warning in the description or at least before I purchased the upgrade (I’m on T-Mobile) for United States users that purchasing the dns override add on will likely not work. Any chance I can get my $2 back?
Hi Matt. I’m sorry that you’re disappointed with our app. It’s not like the override didn’t succeed on your device, the packets are surely leaving your phone address correctly. This practice of hijacking DNS packets by ISP is something we can’t do much about. We are working on a version which will allow evading DNS hijacking by switching to a non-standard DNS port – some major DNS providers actually run their DNS on higher ports like 1053 or 5353. This way we might be able to go around hijacking done by major US telecoms. In the meantime, if you prefer – please contact Apple for a refund. I hope you’ll consider purchasing DO again when the hijacking evasion is available.
And lastly, with T-Mobile in the US, I don’t have any hijacking. I just have nothing. I’m not going to pay when you say it doesn’t work just to test if it does actually work as you say it does not. It appears to me you have put the user’s config first in the server search list but did not (cannot) remove the DHCP/carrier config. So, any DNS lookup is blocked unless through a VPN tunnel. That block causes the OS to fall to the lower one, which is the carrier. My tests with my phone using my iMac:
gives address and server (my ISP)
turn on Personal Hotspot on phone and connect iMac to it.
give address and server (my phone’s private NAT IP (172.20.x.x). Now the fun:
nslookup dnsoverride.com 22.214.171.124
–> times out. Tells me that the traffic is just blocked because I’m in full control of my iMac’s network config (and can see there’s a NAT and expect the carrier to take over when it leaves the phone). Of course, hooked to my home’s ISP, the above command is fine (and quick)
I cannot prove that your app is or is not doing anything, of course.
I live in Indonesia. Using XL as mobile isp. And they are hijacking. So sad..
Sadly, some ISPs really do whatever they want…
But thank you guys for you app! Helping people to have simple tools to make their connected life more secure is something definitely important nowadays.
It seems like I’m getting this on Telus in Winnipeg, Canada.
AT&T confirmed! Unbelievable! I thought we were done nonsense.
Seems to work for Verizon Wireless (in United States) for me.
One way to by pass this would be to use dnscrypt-proxy but it needs real work. By the way, M1 in Singapore is not hijacking DNS.
Verizon in US uses DNS hijacking. Is there any way to override it?
The only way to override it would be to use a VPN.
We’re looking at possibility of switching to different port (ex. 5353 instead of 53). This will not be possible with most of the listed profiles. If iOS would allow changing the port for DNS, you could probably escape ISP DNS hijacking. You would still need a DNS server running on a non-standard port.
I’m seeing this behavior on AT&T in the United States
I’ll second that. I’ve been looking for a solution, and it’s what brought me to this page.