Shadowlore's Journal: Sprint Fooling With DNS Queries

Sprint is doing something odd with DNS queries. More than odd, it's disturbing.

Anyone using Sprint's Wireless Network card, try this experiment. Open a terminal and do a host lookup on slasdot.org. Tell host or nslookup to use a non-public IP, or an IP you know is not running DNS. Use the verbose output. You'll find that the server you indicated "responded" with information.

For example, on OSX or Linux do this:
host -v slashdot.org 192.0.0.1

You get back a DNS record - allegedly from 192.0.0.1. Try any other server. Same result. For example, try using slashdot's mx record.

Now this is disturbing. This can't be an accident. Caching DNS is one thing, and is perfectly legitimate (I run Enterpise Postfix servers, we run DNS caching). But this, this is different. They are faking a query.

Why? Why am I not allowed to query other DNS servers, and why must they insist on giving me the information they want to give me instead of the real information. If they don't want us to do DNS then they need to block it, not break the rules by pretending to allow the query, and fraudlently claiming to be the remote server. Who are they really querying? Do we not have the right to query DNS servers of our choice, or at least know when we are?

Are they doing this with other networks they have? What other services are they currently or planning to do this with? I considered putting this in the "YRO" department, but Security seems just as relevant.

I'd like for anyone else on their network to try this out and report the results. Makes me wonder who else may be doing this.