Fingertip Status: DNS Interference Test

[dotdwebo]

I've installed fingertip on Ubuntu 20.04 LTS and followed the instruction based on manual setup. When i tried to check the status, it showed an error. (DNS Interference Test: Failed)

Error: "Your network appears to intercept and redirect outgoing DNS requests"

additional info: i used Mozilla Browser

[buffrr]

Oh I see are you using a VPN? as the test says it seems that your network is intercepting DNS queries. On some networks it's not possible to reliably run a recursive DNS resolver.

[dotdwebo]

I didnt use vpn.
The websites I visit have the error message:
**502 Bad Gateway

dns lookup failed (rcode: servfail).**

[buffrr]

dns lookup failed (rcode: servfail).**

Yeah, that's the recursive resolver giving a SERVFAIL answer (it likely couldn't verify the response because something in your network is interfering with port 53).

Let's confirm that and try a few things:

1. Can you show the dig output for this query?

dig @a0.org.afilias-nst.info isc.org A

Notice here we're trying to ask the servers authoritative over .org TLD about isc.org but they're not authoritative over the isc.org zone. If the response is an A record, it means your router/ISP or something else is intercepting all requests over port 53 and redirecting them to their own DNS servers. Unfourantely this won't work with a recursive resolver because it needs to reach authoritative servers.

Example of a bad response:

$ dig @a0.org.afilias-nst.info isc.org A
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49530
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                228     IN      A       149.20.1.66

If your network is not messing with port 53, it should look like a proper referral (notice Answer count is zero and authority section has NS records):

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;isc.org.                       IN      A

;; AUTHORITY SECTION:
isc.org.                86400   IN      NS      ns2.isc.org.
isc.org.                86400   IN      NS      ns3.isc.org.
isc.org.                86400   IN      NS      ns1.isc.org.
isc.org.                86400   IN      NS      ns.isc.afilias-nst.info.

;; ADDITIONAL SECTION:
ns1.isc.org.            86400   IN      AAAA    2001:4f8:1:f::73
ns2.isc.org.            86400   IN      AAAA    2001:500:60:d::52
ns1.isc.org.            86400   IN      A       149.20.1.73
ns2.isc.org.            86400   IN      A       199.6.1.52
ns3.isc.org.            86400   IN      A       51.75.79.143

2. Can you try connecting to a different Wifi network to see if the test passes? I don't know where you live but if its the same ISP it will probably fail again (If it doesn't maybe it's just your router doing something weird but that's easier to fix than switching ISPs)

[dotdwebo]

Thank you for your clear explanation, @buffrr ..
I and my friend will try to recheck the settings, the alternative IPS, and the router settings..
Maybe i won't be able to inform the result soon (i got Covid)..

But overall...I thank you very much for your help

[buffrr]

You're welcome :) Fingertip appears to be essentially censored by your internet provider well not intentionally at least but we should have some fallback mechanism.

[dotdwebo]

You're welcome :) Fingertip appears to be essentially censored by your internet provider well not intentionally at least but we should have some fallback mechanism.

i imagine how if someday all internet provider intercept and redirect outgoing the DNS requests? Any manual solution about that worst case scenario?