I was looking into setting up a Pi-hole over the last few weeks, which has involved me playing with DNS resolution on my local network. When trying to work my way through Sky’s various broadband configuration pages, I stumbled upon this thread, in which there are six pages worth of complaints regarding Sky ignoring DNS settings and using their own DNS configuration to resolve DNS queries instead. I was curious to see if this was really the case, and can confirm that Sky middleware is doing something to intercept and override local DNS settings. There is no way to configure this on the router, and I am not currently sure if this is happening locally or on a Sky server somewhere.
The telltale sign is that
dig +norecurse doesn’t work as you would expect. On my
VPS (DigitalOcean in Amsterdam), you can correctly query a nameserver for a non-existent
domain to confirm the absence of an A record:
feroz@thedailyaww:~$ dig +norecurse @22.214.171.124 this-domain-does-not-exist-1111.co.uk ; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> +norecurse @126.96.36.199 this-domain-does-not-exist-1111.co.uk ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34276 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: aa919ce56e0338eec970c4ca5cc5621b472ee04426a72104 (good) ;; QUESTION SECTION: ;this-domain-does-not-exist-1111.co.uk. IN A ;; AUTHORITY SECTION: co.uk. 10800 IN SOA dns1.nic.uk. hostmaster.nominet.org.uk. 1307859764 900 300 2419200 10800 ;; Query time: 7 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Sun Apr 28 09:19:39 BST 2019 ;; MSG SIZE rcvd: 162
On my home computer, the response returned is the list of .uk nameservers despite the fact that I’m querying one of the .uk nameservers already (note that the server I query is in the list of servers that the response suggests I should query):
G 9.10.3-P4-Ubuntu <<>> +norecurse @220.127.116.11 this-domain-does-not-exist-1111.co.uk ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37896 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 14 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;this-domain-does-not-exist-1111.co.uk. IN A ;; AUTHORITY SECTION: co.uk. 39319 IN NS nsb.nic.uk. co.uk. 39319 IN NS dns2.nic.uk. co.uk. 39319 IN NS dns4.nic.uk. co.uk. 39319 IN NS nsa.nic.uk. co.uk. 39319 IN NS nsc.nic.uk. co.uk. 39319 IN NS dns3.nic.uk. co.uk. 39319 IN NS nsd.nic.uk. co.uk. 39319 IN NS dns1.nic.uk. ;; ADDITIONAL SECTION: dns4.nic.uk. 132448 IN A 18.104.22.168 dns4.nic.uk. 166700 IN AAAA 2401:fd80:404::1 dns2.nic.uk. 116719 IN A 22.214.171.124 dns2.nic.uk. 166700 IN AAAA 2401:fd80:400::1 nsb.nic.uk. 166701 IN A 126.96.36.199 dns1.nic.uk. 100041 IN A 188.8.131.52 dns1.nic.uk. 116051 IN AAAA 2a01:618:400::1 nsd.nic.uk. 132448 IN A 184.108.40.206 dns3.nic.uk. 128761 IN A 220.127.116.11 dns3.nic.uk. 132448 IN AAAA 2a01:618:404::1 nsc.nic.uk. 132448 IN A 18.104.22.168 nsa.nic.uk. 102357 IN A 22.214.171.124 nsa.nic.uk. 166700 IN AAAA 2001:502:ad09::3 ;; Query time: 12 msec ;; SERVER: 126.96.36.199#53(188.8.131.52) ;; WHEN: Sun Apr 28 09:18:25 BST 2019 ;; MSG SIZE rcvd: 486
This result is probably due to the fact that whatever resolver is acting in the middle is just returning the response for the root of the zone rather than passing the request to the correct nameserver.
dig +trace of a non-existent TLD on my home computer will likewise recurse
incorrectly, looking up the same set of servers each time with the error
BAD (HORIZONTAL) REFERRAL,
dig stops with the message
too many lookups.
At the end of the thread on the Sky customer support forum (linked above), a customer support manager says that Sky has “identified the root cause and are working towards a permanent solution.” It’s a fairly vague message, but there is the implication that this behaviour was not Sky’s intention. This is probably a good thing, because their current model is clumsy, and probably breaks a number of custom setups. In the intervening period I suggest using DNS-over-HTTPS on Firefox or a VPN.