Subversive DNS Testing

DNS Paranoia is a fake DNS server which allows you to debug DNS behavior and detect DNS interference.

Queries sent to @dnsp.co will be answered with debugging information rather than the correct IP address.

Jump to the list of tests



How to use:

DNS Paranoia is a nameserver, not a website - in order to access it you will need to use a DNS lookup utility. These utilities are command line programs that are provided by your operating system. On Windows, the default tool is "nslookup", on Mac or Linux you will want "dig" or "host".


The syntax for each of these utilities is slightly different - please pay attention to the appropriate examples for your system.


We will be using the "dig" syntax by default. If you like, you may download dig for windows. (alternately, you can dig it out of the offical bind release)


Basic Test:

The bare-bones basic test will detect whether or not your DNS queries are being redirected away from your desired DNS server. In order to perform the test, query the dnsp.co nameserver for any domain name you want. For instance:


dig @dnsp.co www.example.org
nslookup www.example.org dnsp.co
host www.example.org dnsp.co

Notice the "dnsp.co" portion of the above commands. This is the part that tells your computer to talk to our test nameserver rather than your default nameserver - if you omit that part it won't be a valid test.


Whichever command you use, you will get text output that includes what IP address the dnsp.co nameserver things belongs to the domain name "www.example.org". With a normal nameserver, you would get a correct IP address here. With the dnsp.co nameserver, you will get a fixed response: either 123.45.67.89 (for IPv4) or 1111:2222:3333:4444:5555:6666:7777:8888 (for IPv6), or both.


If you get a different response it indicates that someone is interfering with your DNS traffic.


The use of "example.org" is just an example, you can substitue any domain name here that you suspect might be being interfered with.


Additional Tests:

Other tests are accessed by requesting specific domain names. Syntax will vary - some of them will be aimed at the dnsp.co nameserver directly, others may pass through any other nameserver of your choice. Additionally, some will require you to set TCP mode in your DNS utility, specify an alternate port, or will work through a different program altogether. Visit the documentation page for each test to get a full description.


Interference Tests

Description Documentation
dig any domain @dnsp.co Resolving any name via the nameserver at @dnsp.co will give return a fixed response: 123.45.67.89. If this doesn't appear - someone has altered it. more about resolver→
x.x.x.x.spec.dnsp.co Returns a specific IP address. For instance, if you ask for "240.10.11.12.spec.dns.co" you will get the result of "240.10.11.12". Can be used if you suspect a specific IP address is being altered in transit. more about spec→
alternate ports DNS usually works over UDP/53. We are also running our resolver on UDP/10053 so you can check for different responses. more about alternate ports→
nx.dnsp.co
any string here.nx.dnsp.co
nx.dnsp.co and *.nx.dnsp.co return NXDOMAIN. Use to test if your ISP is providing overloaded NXDOMAIN landing pages for keyword based advertisement. more about nx→
fail.dnsp.co fail.dnsp.co is NOT a nameserver. If you get a response from it, someone is intercepting and answering on its behalf. more about fail→

Reconnaissance Tests

Description Documentation
reflect.dnsp.co "reflect.dnsp.co" will always return the IP address that made the request. If you ask it directly it should be your IP address. If you ask it via another nameserver you will see the IP address of that machine instead. more about reflect→
raw.dnsp.co Sending a TXT request to raw.dnsp.co will return the raw bytes of the request (converted to hex) as a TXT record. more about raw→
any string here.log.dnsp.co Requests to any subdomain under *.log.dnsp.co will return a list of all the IP addresses that have asked to look up that same subdomain in the past. Note: Logs in all cases, but only returns results via TCP. more about log→

Caching Tests

Description Documentation
increment.dnsp.co Check it a few times. It should always be rising (until it wraps over from 255.255.255.255 → 0.0.0.0). Isn't rising? Something must be cached along the way. more about increment→
loopback.dnsp.co Loopback returns a time-based CNAME, which in turn resolves to localhost. This allows "ping" to quickly determine if a system is getting fresh DNS results. more about loopback→
  time.dnsp.co
time12.dnsp.co
  date.dnsp.co
Time returns the time of day (in the server's timezone) that the request was made. 24 hour notation is used. (Also: time12.dnsp.co for 12 hour notation, date.dnsp.co for the date in yy.mm.dd.hh format) more about time→
random.dnsp.co Returns a random IP address for each request. If you get the same answer back to back some device in between is caching. more about random→
rndname.dnsp.co Returns a randomized CNAME record. more about rndname→

Miscellaneous

Description Documentation
x.count.dnsp.co Returns a specified number of results. A maximum of 255 IP addresses will be returned, but DNS size limitations may creep in. Note: Only available over TCP. more about count→