Airtel hijacking NXDOMAIN queries

02-03-2013

Back in India after amazing APRICOT 2013 at Singapore. It was nice to stay in East Asia for a while and look around. :)

Anyways, issue for today - I have been using Airtel DNS servers from quite sometime since BSNL has crappy DNS while Google gives issues with Akamai while OpenDNS doesn’t has any node in India yet.

Today I noticed a NXDOMAIN redirection for a non-working domain and later investigated. It seems like Airtel is hijacking on NXDOMAIN queries now.

anurag@laptop:~$ dig bbbaaa.ccc.aaa a

; <<>> DiG 9.8.1-P1 <<>> bbbaaa.ccc.aaa a  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 33337  
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:  
;bbbaaa.ccc.aaa. IN A

;; ANSWER SECTION:  
bbbaaa.ccc.aaa. 60 IN A **92.242.132.27**

;; Query time: 140 msec  
;; SERVER: 202.56.215.28#53(202.56.215.28)  
;; WHEN: Sat Mar 2 17:00:49 2013  
;; MSG SIZE rcvd: 48

Looking for routing to that IP:

anurag@laptop:~$ awhois 92.242.132.27  
AS | IP | BGP Prefix | CC | AS Name  
**45028** | 92.242.132.27 | 92.242.132.0/24 | GB | BAREFRUIT-AS Barefruit Ltd Autonomous System  
anurag@laptop:~$

Never heard of that network before but that server seems to be doing redirection to airtelforum.com

anurag@laptop:~$ dig -x 92.242.134.8 +short  
unallocated.barefruit.co.uk.  
anurag@laptop:~$

anurag@laptop:~$ dig **airtelforum.com.** a +short  
**92.242.134.8**  
anurag@laptop:~$

Strange! I can understand if Airtel is really hijacking queries and redirecting but then why they are running airtelforum.com on a network outside in Europe? Whois result for the domain seems OK type. Strange again that they are not using DNS servers of Airtel itself but of Direct i (set as via reseller)

While the website seems having a perfact Airtel reddish design with their logo as well.

Anyways time to switch back to Google DNS servers. :)