• TalkTalk DNS Snooping / Hijacking?

    Posted on June 14, 2013 by in Everything Else

    A few days ago I was doing some security updates on my site as I had seen a number of reports of a recent spate of hacks on WordPress sites with the vulnerabilities coming not from the core WordPress code but 3rd party plugins which allowed the hackers to inject SQL Code and gain admin access to the install of WordPress.

    On checking the security plugin I was watching the live site traffic where I could see there had been a number of failed attempts to gain access, however what caught my eye was a fair number of visits from a IP Address in Warrington, not that interesting you may think, but I noticed all of its visits where logged just after visits form my IP Address. To confirm my suspicions I attempted to load a page http://jonbyrne.com/areyouwatchingbigbrother/ which obviously gave a 404 error, however seconds later the Warrington IP Address tried to load the same page.

    Screenshot from 2013-06-14 22:53:31

    I took to Google and discovered that it was TalkTalk’s Homesafe security scanner checking the site out which they do when ever an address is resolved though thier DNS Server, now this may seem innocuous and possibly useful, however I had not enabled TalkTalk Homesafe on my account and do not use TalkTalk’s DNS Servers either, but use Google’s Public DNS Service.

    Screenshot from 2013-06-14 23:34:58

    It is apparent that TalkTalk hijack or snoop on all DNS lookups and then store this in order to crawl the site shortly after. I can see that this would be useful for their customers who wish to use the HomeSafe protection, but to do this for people who have not enabled this strikes me that they are collecting this data for other business uses.

    If you are a TalkTalk or other ISP Customer and are worried about this or just don’t want them using this data without being clear and transparent then I would recommend OpenDNS’s DNSCRYPT which I have tested and it seems to stop the TalkTalk Bot from following you around. Anyone using Fedora I would recommend the install guide here.

    It would seem that this does not work and they possibly do not use DNS Hijacking / Snooping as the only method of following you around, I will do some more investigation and keep this post updated.

    Screenshot from 2013-06-14 23:13:51

    I would be interested if any other ISP’s do the same.

    Thank You