A question of DNS...
Discussion
So I am trying to use a DNS service where it appears as though I'm in either the UK or US when I'm not. As I am travelling to Brazil for work for most of the summer, I'd like to keep in touch with UK programmes etc. Whilst this is simple enough to do on a blanket level (all my traffic) what I'd like to do is just route certain traffic via my 'international' DNS servers and the rest via Open DNS.
Is it possible to do this on the computer, as I don't want to start buggering around with my router.
Is it possible to do this on the computer, as I don't want to start buggering around with my router.
theboyfold said:
So I am trying to use a DNS service where it appears as though I'm in either the UK or US when I'm not. As I am travelling to Brazil for work for most of the summer, I'd like to keep in touch with UK programmes etc. Whilst this is simple enough to do on a blanket level (all my traffic) what I'd like to do is just route certain traffic via my 'international' DNS servers and the rest via Open DNS.
Is it possible to do this on the computer, as I don't want to start buggering around with my router.
Not sure what any of that has to do with DNS.Is it possible to do this on the computer, as I don't want to start buggering around with my router.
I think your saying you need a vpn and/or proxy service. And if you want to route only some traffic to it, you may be able to bugger around with your local routing table to achieve this, but if your getting DNS and proxy's muddled up I doubt it. If its just http/s you can probably use the proxy bypass list in your browser if you are using the browser proxy setting to direct traffic to your proxy service.
I think it is DNS. I'm currently testing this service: https://unlocator.com/
So when it's 'on' and I have my DNS set to the correct servers as per the setup, I can't make ITV Player work. However, with it off I can make ITV Player work. So what I would like to do, would be have a setup that says when using ITV.com/*** it uses these DNS servers, and when I use another site it uses my local DNS.
The service provider says "From then on you will automatically appear in the correct location needed to use the supported services. " however, as I've said it doesn't seem to work with ITV Player.
Does that clear it up?
So when it's 'on' and I have my DNS set to the correct servers as per the setup, I can't make ITV Player work. However, with it off I can make ITV Player work. So what I would like to do, would be have a setup that says when using ITV.com/*** it uses these DNS servers, and when I use another site it uses my local DNS.
The service provider says "From then on you will automatically appear in the correct location needed to use the supported services. " however, as I've said it doesn't seem to work with ITV Player.
Does that clear it up?
Have a look at zenmate on chrome. What you are after is a VPN. DNS just maps what you type (for example www.google.com) with the IP address of the machine you want.
Ok, i think what they are doing is getting you to set their service up as your DNS server, so when you request one of the sites such as TV stations, rather than the DNS server giving you the IP address of the real site they will give you the IP address of their proxy, therefore re-directing you to the site via their prozy and such that you appear where you need to to use that service.
In theory all your other traffic would just be given the correct ip address of the site you requested and all traffic would go direct. You don't know that however and there is nothing to stop them redirecting you through their proxy, and doing whatever they like with your traffic while they have it, including terminating any secure sessions (https) you may think you have.
in short, no there isn't much you can do to use one trusted dns server for some traffic and another for the rest.
In theory all your other traffic would just be given the correct ip address of the site you requested and all traffic would go direct. You don't know that however and there is nothing to stop them redirecting you through their proxy, and doing whatever they like with your traffic while they have it, including terminating any secure sessions (https) you may think you have.
in short, no there isn't much you can do to use one trusted dns server for some traffic and another for the rest.
Actually now i think about it, if that is how they work, what you could do is, set up their DNS server, Start a cmd box, ping the services you want and note down the IP address their server provides, now add that ip address to your host file for the service, set your DNS back to a trusted one and all your normal stuff will go to the trusted DNS server, and the services you want to go to their proxy will be done via the host file and sent to their proxy.
depends really how much you trust them vs your hotels ISP's DNS server if its worth it.
depends really how much you trust them vs your hotels ISP's DNS server if its worth it.
Blimey, took me awhile to see what they were doing there. I blame studying all day 
Right, they are manipulating your DNS requests to proxy the traffic, it's actually a nicer way of doing it as far as the user is concerned IMO.
To 'only' do it for the addresses you want you should check the IP they resolve to via the proxy service and then modify your hosts file (c:/windows/system32/drivers/etc/hosts - for windows) to send only those domains there.
Roughly off the top of my head:
Open command prompt
Type nslookup
Type server 185.37.37.37
Type www.someservice.com
Copy the IP that is resolved, eg. 111.111.111.111
Open c:/windows/system32/drivers/etc/hosts in notepad
Add line at the bottom like: 111.111.111.111 www.someservice.com
Right, they are manipulating your DNS requests to proxy the traffic, it's actually a nicer way of doing it as far as the user is concerned IMO.
To 'only' do it for the addresses you want you should check the IP they resolve to via the proxy service and then modify your hosts file (c:/windows/system32/drivers/etc/hosts - for windows) to send only those domains there.
Roughly off the top of my head:
Open command prompt
Type nslookup
Type server 185.37.37.37
Type www.someservice.com
Copy the IP that is resolved, eg. 111.111.111.111
Open c:/windows/system32/drivers/etc/hosts in notepad
Add line at the bottom like: 111.111.111.111 www.someservice.com
theboyfold said:
I think it is DNS. I'm currently testing this service: https://unlocator.com/
So when it's 'on' and I have my DNS set to the correct servers as per the setup, I can't make ITV Player work. However, with it off I can make ITV Player work. So what I would like to do, would be have a setup that says when using ITV.com/*** it uses these DNS servers, and when I use another site it uses my local DNS.
The service provider says "From then on you will automatically appear in the correct location needed to use the supported services. " however, as I've said it doesn't seem to work with ITV Player.
Does that clear it up?
Unotelly is what I use, what you want works if you set up your account properly and use one of their dynamo dns servers.So when it's 'on' and I have my DNS set to the correct servers as per the setup, I can't make ITV Player work. However, with it off I can make ITV Player work. So what I would like to do, would be have a setup that says when using ITV.com/*** it uses these DNS servers, and when I use another site it uses my local DNS.
The service provider says "From then on you will automatically appear in the correct location needed to use the supported services. " however, as I've said it doesn't seem to work with ITV Player.
Does that clear it up?
The thing that you have to bear in mind with these services is their security, especially if they are tweaking your DNS.
DNS is the internet equivalent of the phone book for someone who has a 15 minute memory for numbers. If you get a copy from BT you can be pretty sure the numbers contained within it are the numbers of the person you want to call, So you can pick it up, look up the number for your bank, give them a call and tell them your security details and pay your bills. On the other hand if you buy your phone book for that Nigerian bloke down the market who has a sideline in unclaimed estates and gold reserves. would you believe the number contained in the book for your bank, Would you know if the person who answers the phone is actually natwest or just someone who said "hello natwest here, whats your password".
If you want to gather data a good way is a man in the middle attack where they can sit in the middle of the conversation having convinced the client they are talking to the secured service, Its like you phoning your bank and they answer, but then they call your bank and put the two handsets together to forward the conversation, all the while listening in. That's ok, isn't my conversation encrypted i hear you cry. well the smart ones could set up the encryption between them and you and then another session between them and the destination service, everything on their server is unencrypted and subject to snooping, smart users may notice the invalid certificates, some my just click ok, not really understanding, who reads windows prompts these days anyway. some of your data may even be in clear text anyway.
But how do they get in the middle of your conversation with the bank, well that's where DNS poisoning comes in from our first lesson. If they control the DNS they control who you talk to. You type in www.facebook.com and they can send you wherever they want, wouldn't be hard to fake up a page that looks like facebook, and ask for your password, it would even say www.facebook.com in the address bar, same for your bank, ask you for three digits of your password, say its wrong ask for another three, then another where your really careful to type in the right ones as its your last go. They can pretty much do what they want with you. Their only problem is how to get control of your DNS service in the first place, as that usually set by your ISP, which unless your on a dodgy fake public wifi in starbucks, are usually trustworthy.
To do that they need a nice pot of honey. (if they haven't already given you free wifi in SB) and wouldn't you know, there are a whole lot of people out there wanting to pretend they are where they are not in order to watch a bit of TV from another country. So set up a service to proxy the TV, Do it via DNS tricks and proxy's, the whole thing is using the exact same services they need to man in the middle attack your data. Throw in a small charge for the service and they get some small change for the xmas party too with the added benefit of making the service look even more legit.
Sounds far fetched, do i know this lot are dodgy, haven't a clue but i can tell you one thing, they are already showing dishonesty by providing a service to bypass region content control. Its not a debate on the ethics of that, but its the first red flag. Also not saying you cant use such services and beat them at their own game but the risks are there and they are VERY high. Give away the trust in DNS and you cant trust anything unless you are very very careful.
If you want to use anything that redirects your traffic, be it a proxy, dns/proxy, browser plugin, etc, for god sake do it on a laptop used only for that, and if you use the same laptop for these things as your banking, email etc then we will see you back here sometime, if your lucky its just a virus they sent you to. if your not so lucky you may not be able to afford your ISP bill.
DNS is the internet equivalent of the phone book for someone who has a 15 minute memory for numbers. If you get a copy from BT you can be pretty sure the numbers contained within it are the numbers of the person you want to call, So you can pick it up, look up the number for your bank, give them a call and tell them your security details and pay your bills. On the other hand if you buy your phone book for that Nigerian bloke down the market who has a sideline in unclaimed estates and gold reserves. would you believe the number contained in the book for your bank, Would you know if the person who answers the phone is actually natwest or just someone who said "hello natwest here, whats your password".
If you want to gather data a good way is a man in the middle attack where they can sit in the middle of the conversation having convinced the client they are talking to the secured service, Its like you phoning your bank and they answer, but then they call your bank and put the two handsets together to forward the conversation, all the while listening in. That's ok, isn't my conversation encrypted i hear you cry. well the smart ones could set up the encryption between them and you and then another session between them and the destination service, everything on their server is unencrypted and subject to snooping, smart users may notice the invalid certificates, some my just click ok, not really understanding, who reads windows prompts these days anyway. some of your data may even be in clear text anyway.
But how do they get in the middle of your conversation with the bank, well that's where DNS poisoning comes in from our first lesson. If they control the DNS they control who you talk to. You type in www.facebook.com and they can send you wherever they want, wouldn't be hard to fake up a page that looks like facebook, and ask for your password, it would even say www.facebook.com in the address bar, same for your bank, ask you for three digits of your password, say its wrong ask for another three, then another where your really careful to type in the right ones as its your last go. They can pretty much do what they want with you. Their only problem is how to get control of your DNS service in the first place, as that usually set by your ISP, which unless your on a dodgy fake public wifi in starbucks, are usually trustworthy.
To do that they need a nice pot of honey. (if they haven't already given you free wifi in SB) and wouldn't you know, there are a whole lot of people out there wanting to pretend they are where they are not in order to watch a bit of TV from another country. So set up a service to proxy the TV, Do it via DNS tricks and proxy's, the whole thing is using the exact same services they need to man in the middle attack your data. Throw in a small charge for the service and they get some small change for the xmas party too with the added benefit of making the service look even more legit.
Sounds far fetched, do i know this lot are dodgy, haven't a clue but i can tell you one thing, they are already showing dishonesty by providing a service to bypass region content control. Its not a debate on the ethics of that, but its the first red flag. Also not saying you cant use such services and beat them at their own game but the risks are there and they are VERY high. Give away the trust in DNS and you cant trust anything unless you are very very careful.
If you want to use anything that redirects your traffic, be it a proxy, dns/proxy, browser plugin, etc, for god sake do it on a laptop used only for that, and if you use the same laptop for these things as your banking, email etc then we will see you back here sometime, if your lucky its just a virus they sent you to. if your not so lucky you may not be able to afford your ISP bill.
Edited by ViperDave on Wednesday 23 April 20:28
ViperDave said:
The thing that you have to bear in mind with these services is their security, especially if they are tweaking your DNS.
DNS is the internet equivalent of the phone book for someone who has a 15 minute memory for numbers. If you get a copy from BT you can be pretty sure the numbers contained within it are the numbers of the person you want to call, So you can pick it up, look up the number for your bank, give them a call and tell them your security details and pay your bills. On the other hand if you buy your phone book for that Nigerian bloke down the market who has a sideline in unclaimed estates and gold reserves. would you believe the number contained in the book for your bank, Would you know if the person who answers the phone is actually natwest or just someone who said "hello natwest here, whats your password".
If you want to gather data a good way is a man in the middle attack where they can sit in the middle of the conversation having convinced the client they are talking to the secured service, Its like you phoning your bank and they answer, but then they call your bank and put the two handsets together to forward the conversation, all the while listening in. That's ok, isn't my conversation encrypted i hear you cry. well the smart ones could set up the encryption between them and you and then another session between them and the destination service, everything on their server is unencrypted and subject to snooping, smart users may notice the invalid certificates, some my just click ok, not really understanding, who reads windows prompts these days anyway. some of your data may even be in clear text anyway.
But how do they get in the middle of your conversation with the bank, well that's where DNS poisoning comes in from our first lesson. If they control the DNS they control who you talk to. You type in www.facebook.com and they can send you wherever they want, wouldn't be hard to fake up a page that looks like facebook, and ask for your password, it would even say www.facebook.com in the address bar, same for your bank, ask you for three digits of your password, say its wrong ask for another three, then another where your really careful to type in the right ones as its your last go. They can pretty much do what they want with you. Their only problem is how to get control of your DNS service in the first place, as that usually set by your ISP, which unless your on a dodgy fake public wifi in starbucks, are usually trustworthy.
To do that they need a nice pot of honey. (if they haven't already given you free wifi in SB) and wouldn't you know, there are a whole lot of people out there wanting to pretend they are where they are not in order to watch a bit of TV from another country. So set up a service to proxy the TV, Do it via DNS tricks and proxy's, the whole thing is using the exact same services they need to man in the middle attack your data. Throw in a small charge for the service and they get some small change for the xmas party too with the added benefit of making the service look even more legit.
Sounds far fetched, do i know this lot are dodgy, haven't a clue but i can tell you one thing, they are already showing dishonesty by providing a service to bypass region content control. Its not a debate on the ethics of that, but its the first red flag. Also not saying you cant use such services and beat them at their own game but the risks are there and they are VERY high. Give away the trust in DNS and you cant trust anything unless you are very very careful.
If you want to use anything that redirects your traffic, be it a proxy, dns/proxy, browser plugin, etc, for god sake do it on a laptop used only for that, and if you use the same laptop for these things as your banking, email etc then we will see you back here sometime, if your lucky its just a virus they sent you to. if your not so lucky you may not be able to afford your ISP bill.
Very very interesting and has given me food for thought I have to say. Oddly, I've always used OpenDNS as my DNS server as I felt that they were 'safe', but given the flaws in OpenSSL of late I should question that as well.DNS is the internet equivalent of the phone book for someone who has a 15 minute memory for numbers. If you get a copy from BT you can be pretty sure the numbers contained within it are the numbers of the person you want to call, So you can pick it up, look up the number for your bank, give them a call and tell them your security details and pay your bills. On the other hand if you buy your phone book for that Nigerian bloke down the market who has a sideline in unclaimed estates and gold reserves. would you believe the number contained in the book for your bank, Would you know if the person who answers the phone is actually natwest or just someone who said "hello natwest here, whats your password".
If you want to gather data a good way is a man in the middle attack where they can sit in the middle of the conversation having convinced the client they are talking to the secured service, Its like you phoning your bank and they answer, but then they call your bank and put the two handsets together to forward the conversation, all the while listening in. That's ok, isn't my conversation encrypted i hear you cry. well the smart ones could set up the encryption between them and you and then another session between them and the destination service, everything on their server is unencrypted and subject to snooping, smart users may notice the invalid certificates, some my just click ok, not really understanding, who reads windows prompts these days anyway. some of your data may even be in clear text anyway.
But how do they get in the middle of your conversation with the bank, well that's where DNS poisoning comes in from our first lesson. If they control the DNS they control who you talk to. You type in www.facebook.com and they can send you wherever they want, wouldn't be hard to fake up a page that looks like facebook, and ask for your password, it would even say www.facebook.com in the address bar, same for your bank, ask you for three digits of your password, say its wrong ask for another three, then another where your really careful to type in the right ones as its your last go. They can pretty much do what they want with you. Their only problem is how to get control of your DNS service in the first place, as that usually set by your ISP, which unless your on a dodgy fake public wifi in starbucks, are usually trustworthy.
To do that they need a nice pot of honey. (if they haven't already given you free wifi in SB) and wouldn't you know, there are a whole lot of people out there wanting to pretend they are where they are not in order to watch a bit of TV from another country. So set up a service to proxy the TV, Do it via DNS tricks and proxy's, the whole thing is using the exact same services they need to man in the middle attack your data. Throw in a small charge for the service and they get some small change for the xmas party too with the added benefit of making the service look even more legit.
Sounds far fetched, do i know this lot are dodgy, haven't a clue but i can tell you one thing, they are already showing dishonesty by providing a service to bypass region content control. Its not a debate on the ethics of that, but its the first red flag. Also not saying you cant use such services and beat them at their own game but the risks are there and they are VERY high. Give away the trust in DNS and you cant trust anything unless you are very very careful.
If you want to use anything that redirects your traffic, be it a proxy, dns/proxy, browser plugin, etc, for god sake do it on a laptop used only for that, and if you use the same laptop for these things as your banking, email etc then we will see you back here sometime, if your lucky its just a virus they sent you to. if your not so lucky you may not be able to afford your ISP bill.
Edited by ViperDave on Wednesday 23 April 20:28
I've answered my original question, but this post has given me one or two more to consider. Thanks for taking the effort to type that out, it's appreciated.
Sorry,
Do you have fast broadband at home, if so set up a VPN server of your own, use a NAS, some linux thing will probably do it as well, maybe you router too, there are a few options, use noip or some other DDNS to give you a route back to your dynamic IP address from a far off land, connect your client to your VPN and appear to the world to be sitting in your lounge watching BBC i Player. Needs decent upload bandwidth though.
Alternatively look into what was suggested earlier with the host file, It's like your own private phone book, Use a reputable DNS for everything but the addresses your dns/proxy provides, Having said that the DNS server above from their setup page seemed to be giving the correct IP for BBC.co.uk so I'm still not 100% sure what their trick is, but then i didn't sign up or look to hard.
Do you have fast broadband at home, if so set up a VPN server of your own, use a NAS, some linux thing will probably do it as well, maybe you router too, there are a few options, use noip or some other DDNS to give you a route back to your dynamic IP address from a far off land, connect your client to your VPN and appear to the world to be sitting in your lounge watching BBC i Player. Needs decent upload bandwidth though.
Alternatively look into what was suggested earlier with the host file, It's like your own private phone book, Use a reputable DNS for everything but the addresses your dns/proxy provides, Having said that the DNS server above from their setup page seemed to be giving the correct IP for BBC.co.uk so I'm still not 100% sure what their trick is, but then i didn't sign up or look to hard.
3 up is faster than a lot of peoples down, particularly hotels, so it has legs, wont help you watch American stuff though.
Next though we will have to talk about the risks of exposing your home network to the internet. For what its worth, my VPN server requires a certificate issued from my own certificate server before it will allow a connection! I have used it to watch video though and i have the same virgin package as you.
Correction, i only have 30/2 Mbps virgin service
Next though we will have to talk about the risks of exposing your home network to the internet. For what its worth, my VPN server requires a certificate issued from my own certificate server before it will allow a connection! I have used it to watch video though and i have the same virgin package as you.
Correction, i only have 30/2 Mbps virgin service
Edited by ViperDave on Wednesday 23 April 22:22
theboyfold said:
Very very interesting and has given me food for thought I have to say. Oddly, I've always used OpenDNS as my DNS server as I felt that they were 'safe', but given the flaws in OpenSSL of late I should question that as well.
I've answered my original question, but this post has given me one or two more to consider. Thanks for taking the effort to type that out, it's appreciated.
Not sure i would be too worried about OpenDNS I'll be honest and say i hadn't paid them much attention before today but they look legit and about increasing security, by blocking DNS requests for known dodgy sites, not bypassing things. You have to take a deep breath and dive in at some stage. If you noticed my comment about free wifi in starbucks earlier then openDNS would help prevent someone getting the better of you that way. As for their link to heartbleed and openSSL, never say never but its a completely different service, and all software has flaws but i wouldn't sweat any connection.I've answered my original question, but this post has given me one or two more to consider. Thanks for taking the effort to type that out, it's appreciated.
PS i'm no internet security expert, i have just worked in IT long enough to always see the worst possible outcome as its usually what happens. Like i said though at some point you either need to jump in and hope for the best, or get out the roll of Bacofoil to make your new hat.
theboyfold said:
I'm just going about setting up OpenVPN on my Mini to try and get my head around it. Hopefully it won't be too tricky.
In terms of a DNS service, I guess the best route to go would be through my Apple TV As that's all that it gets used for, nothing else but watching stuff.
Do you have someone at home to kick the virgin super hub regularly when it crashes? Mines on a time switch and gets a 5 minute power off every other day, works like a charm except when virgin decide to do maintenance work on the network in the middle of when SWMBO is WFH.In terms of a DNS service, I guess the best route to go would be through my Apple TV As that's all that it gets used for, nothing else but watching stuff.
Its also worth noting down your ip address, as if your virgin is anything like mine, with the router more or less always on my IP address hasn't changed in years. Came in handy when dynadns decided they didn't want us freeloaders anymore and deleted my longstanding DDNS record while i was in the US. fortunately i found an entry in the event logs on my laptop with the IP address and it was still valid.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff