Local network DNS Hijacking detection

  • DNS Benchmark v2 Release 5 with Consultant License
    Guest:
    If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.

    Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

shoulders

shoulders

Member
Apr 12, 2026
6
0
Hi

Background

On my local network I run pfSense as my router and I force all DNS request through it via a technique called DNS Hijacking. I then send all requests to Quad9 through DoT on port 853.

These are the rules
  • All traffic to port 53 on the router = Allow
  • All traffic on port 53 not to the router = Block
  • All traffic to port 853 on the router = Allow
  • All traffic on port 853 not to the Router = Block
NB:
  • The block rules can probably be changed to redirects, certainly for port 53, but might cause certificate issues for traffic on port 853
  • DoH is handled by a custom DNSBL (blocklist) which has a large list of domains, but by it's nature will not have all of the DNS servers listed.
The Question

Can DNS Benchmark be used to detect if my router is correctly hijacking my local networks DNS?

Results could be broken down for the different technologies.
  • DNS (basic) = Hijacked
  • DoT = not-Hijacked
  • DoH = Hijacked
As a thought, it might require a fake domain (that does not exist in the real world) that can be used for testing. Either you get s result or an NXDOMAIN response.

If not already implemented, maybe this is a feature that other people will find useful to see if their firewall rules are working as expected.

Thanks

shoulders
 
Last edited:
shoulders said:
Can DNS Benchmark be used to detect if my router is correctly hijacking my local networks DNS?
Click to expand...
My router (based on OpenWRT) has a similar feature that can force redirect all UDP (i.e. unecrypted) DNS queries to the server of my choice (interesting that we both choose Quad9 for this purpose ;) ). When I run the DNSB it starts to look right, but then all the queries go red. So it does detect the "issue", it just doesn't specifically call it out as an issue. This is probably enough for you, I'd wager.

(Note: My router doesn't try to detect or mess with HTTPS traffic though, as that would require more oomph from the router to allow it to man-in-the-middle my network, and I wouldn't be willing to load the necessary certificates on my devices anyway.)
 
GRC DNSBench will pass or fail, but will not analyze or report the
reason for either.

Run it and see the reports in Tabular Data and the CSV, and you tell us
what you find.

For those of us doing custom stuff, we may run DNSBench on
pre-custom 'standard' first, then compare to the DNSBench run on our
custom settings, which may or may not pass DNSBench's standard'
testing.
 
@PHolder you need to block all requests (53, DoT, DoH) not going to your router otherwise DNS hijacking is pointless. DoH does require blocklists but this is the only way to do this. A lot of IoT kit uses DoH, especially Google stuff. You can probably redirect 53 DNS with no issue. I prefer to drop these requests because they are using hardcoded DNS servers.

@peterblaise I feel this is a useful feature that can be added. i,e. add a random non-existent domain to your routers internal hosts file, then run DNSB which can then run these tests and compare the results so it can inform the user if DNS hijacking is working.
  • Setup on DNSB
    • specify router IP
    • specify external DNS provider (IP, DoT, DoH)
    • specify the domain you have added to your routers host file
  • Send DNS request direct to the router
    • 53
    • 853/DoT
    • DoH
  • Send DNS to an external DNS provider
    • 53
    • 853/DoT
    • DoH
 
shoulders said:
@PHolder you need to block all requests (53, DoT, DoH) not going to your router otherwise DNS hijacking is pointless.
Click to expand...
You have a strange view of pointless, IMHO. I don't want INSECURE DNS going out to the public internet. My setup achieves this exactly as intended. (The router uses DoH to Quad9 and redirects any attempt to use insecure UDP to itself.) I don't care to overrule devices on my network that are properly configured to use DoH. (I don't think I have (nor want) anything using DoT.)
 
Malware has been known to use their own DoH libraries completely bypassing a routers DNS configuration, it is not just IoT that uses DoH.
 
shoulders said:
@peterblaise I feel this is a useful feature that can be added. i,e. add a random non-existent domain to your routers internal hosts file, then run DNSB which can then run these tests and compare the results so it can inform the user if DNS hijacking is working.
Click to expand...
DNSB does do something like this already, but the problem is that the random non-existent domain it uses is just that, random and unpredictable until DNSB runs. That is how Steve tests response times right back to the authoratative DNS server. What you need is for DNSB to display the random domain that it will test before it does so.
 
shoulders said:
Malware has been known to use their own DoH libraries
Click to expand...
There would be no reason for such a library to advertise what it is up to, and could put their chosen server (or a proxy to one) on any port they choose, so you have to block everything and then figure out what to whitelist. That might be an approach for someone who is worried about their network being compromised by someone else, but I am not worried I will compromise my own network.
 
I could not find any "Forum Rules". Am I allowed to post my own links here?

I have made PHP script that can test for DNS Hijacking on your local network.

The purpose of posting here would not be self promotion, but rather to show a feature that could be added to DNS Benchmark.
 
If we're not posting a link to something we are offering to sell, then it's
not self promotion, per se.

Here, we share scripts, batch files, command lines, and entire
assembled and compiled programs, and source code, all the time.

We just don't redirect to our own web page of things to sell.

Yes, there are several tools that can help test for DNS hijacking on your local network. Here are a few options, ranging from simple command-line tests to more dedicated applications:


1. Command-Line Tests (Simple & Quick)


You can use standard command-line tools like dig or host to perform basic checks. The idea is to query a DNS server you trust (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) and compare the results to what you get from your local network's configured DNS resolver.


  • dig command example:
    dig +short on.quad9.net @9.9.9.9

    If your DNS is not hijacked, you should see "on.quad9.net has address 216.21.3.77" or similar. If it's hijacked, you might get an alias like on.quad9.net is an alias for no.quad9.net. community.ipfire.org.
  • host command example:
    host on.quad9.net 9.9.9.9

    Similar to dig, look for the direct address on.quad9.net has address a.b.c.d rather than an alias community.ipfire.org.
  • Testing for NXDOMAIN hijacking (non-existent domains):
    Some ISPs redirect requests for non-existent domains to their own search pages. You can test this by querying a domain that doesn't exist:
    dig +short ch txt id.server. @9.9.9.9

    If this returns an empty answer, it could indicate DNS hijacking community.ipfire.org.

2. DNS Paranoia


DNS Paranoia is a fake DNS server that lets you debug DNS behavior and detect interference. You send queries to @dnsp.co, and it responds with debugging information instead of an actual IP address.


  • Basic Test: You query dnsp.co for any domain (e.g., www.example.org). If you get 123.45.67.89 (for IPv4) or 1111:2222:3333:4444:5555:6666:7777:8888 (for IPv6), your DNS is likely clean. If you get a different IP, it suggests interference dnsparanoia.com.dig @dnsp.co www.example.org

  • They also offer tests for specific IP alteration, alternate ports, NXDOMAIN hijacking, and more dnsparanoia.com.

3. DNS Polygraph


DNS Polygraph is a Windows-based tool developed in C# that automatically compares your local DNS responses with trusted responses from DoH (DNS over HTTPS) services like Google or Cloudflare.


  • It captures all DNS responses from your resolver and performs a parallel request over HTTPS to a trusted source.
  • It then compares the two responses, highlighting discrepancies with different colors based on the level of "unrelatedness" found (e.g., different /16 or /24 networks).
  • It can detect specific attack patterns, such as a private IP response for a public domain (potential local DNS spoofing) or responses for non-existent domains that should be NXDOMAIN (ISP redirection) shelliscoming.com.

4. DNSDiag


DNSDiag is a Python toolset for DNS measurement, troubleshooting, and security auditing. It includes utilities like dnsping and dnstraceroute.


  • dnsping: Measures the response time of DNS servers and can be used to compare responses across different protocols (UDP, TCP, TLS, DoH, QUIC, HTTP/3).
  • dnstraceroute: Traces the path of your DNS requests, which can be compared to a network traceroute to see if your DNS traffic is being rerouted. It even has an --expert flag that displays hints about potential hijacking dnsdiag.org.

Why DNS hijacking happens:


DNS hijacking can occur for various reasons, from malicious attacks (like local network compromises or malware changing your DNS settings) to legitimate but sometimes unwelcome practices by ISPs (like redirecting non-existent domains to ad pages or intercepting DNS for monitoring) community.ipfire.org.


If you find that your DNS is being hijacked, consider configuring your devices or router to use DNS over TLS (DoT) or DNS over HTTPS (DoH) to a trusted public resolver (like Quad9, Cloudflare, or Google), which encrypts your DNS queries and prevents tampering community.ipfire.org.
 
Because of the comment in the read.me file "get these Hijacking tests added in to the DNS Benchmark utility" I'll add:
- typos:
- "This is and issue ..." should be "This is an issue ..."
- [LF] prpbably should be [CR][LF] so the Read.me opens in Windows Notepad and displays readably, though it opens in WordPad OK.

GRC DNSBench is a speed test that also tests whether a DNS server exists at all, and it tests via industry-standard behavior, intended for mainstream, typical Internet use via Windows.

As far as I can deduce, your dns-hijacking-inspector program is not a simple test from a user's screen designed to reveal if their DNS is being hijacked, right?

For example, if I, as a user, run dns-hijacking-inspector from my PC, as a user of a Comcast Business Router 2 by Technicolor that has Security Edge, will it pass / fail or report specific hijacking?

The Comcast Business Router 2 (often the Technicolor CGA4234COM, also known as the Business Wireless Gateway) uses a combination of built-in hardware security, Wi-Fi encryption protocols, and optional cloud-based services to protect business networks. [1]

Key security features include:
  • Comcast Business SecurityEdge™: This is the primary security feature, which is a cloud-based solution that automatically scans and blocks threats like malware, ransomware, phishing, and botnet attacks for all connected devices.
    • Threat Intelligence: SecurityEdge updates its database every 5 minutes to protect against new threats.
    • DNS-based Filtering: Blocks access to malicious websites and provides web filtering capabilities.
  • Wi-Fi Security: The router supports WPA2-PSK (AES) and WPA2-Enterprise encryption for securing wireless traffic.
  • Firewall Protection: It includes a built-in stateful firewall to monitor and control network traffic.
  • Networking Security Tools: Features include MAC address filtering (allowing only specified devices on the network) and the capability to create a dedicated guest network.
  • Advanced Security (Optional): Comcast offers "SecurityEdge Preferred" for enhanced, two-way protection against incoming and outgoing threats. [2, 3, 4, 5, 6, 7]
The Technicolor CGA4234 router (often provided as the second-generation Business Wireless Gateway) is designed to handle multiple devices, supporting secure connectivity for employee and guest devices simultaneously. [8]

[1] https://business.comcast.com/learn/internet/security-edge
[2] https://business.comcast.com/learn/internet/security-edge
[3] https://business.comcast.com/community/browse-all/details/security-for-the-wireless-enterprise
[4] https://corporate.comcast.com/press...securityedge-protect-businesses-cyber-threats
[5] https://business.comcast.com/support/article/internet/business-internet-service-overview
[6] https://business.comcast.com/support/article/internet/securityedge-frequent-questions/
[7] https://business.comcast.com/support/article/internet/comcast-business-wireless-gateway-overview-wifi
[8] https://www.ebay.com/itm/256874169299

DNSBench can "get through" only one of the default inbuilt provided DNS servers, and DNSBench 2 can build an apparently false Custom list of 100% of the servers if we delay interqueries by 5 or 6 minutes; all "successful" results are false because the Comcast Security Edge is hijacking all DNS queries, and all we are testing is the time out before reset before the next query.

GRC DNSBench, like GRC SpinRite, presumes honesty.

GRC ValiDrive presumes fakery.

Perhaps a separate utility called GRC ValiDNS would be a terrific adjunct to GRC DNSBench.

Or, as you suggest, combining the features.

For a variety of reasons, I am unable to run your script, or even teach myself what it's for - is it for folks who provide their own DNS servers on their own network?

Thanks.
 
  • "This is and issue ..." should be "This is an issue ..."
    • I will fix this
  • [LF] prpbably should be [CR][LF] so the Read.me opens in Windows Notepad and displays readably, though it opens in WordPad OK.
    • opens fine in Windows 11 notepad, are you using Windows 10 or earlier notepad as I believe those only handle [CR][LF]
    • Currently I will leave these on [LF] but I will consider your thoughts
  • As far as I can deduce, your dns-hijacking-inspector program is not a simple test from a user's screen designed to reveal if their DNS is being hijacked, right?
    • My inspector can be used to detect DNS Hijacking on your local network. This is it's primary role.
    • The results are presented in a simple table with a pass or fail at the bottom.
    • I assume it will work with your router. I am using pfSense where I can change anything I want.
  • Or, as you suggest, combining the features.
    • Yes this is my thought, that this functionality is complementary, but does not need its own app.
    • DNSBenchmark will already have all of the required libraries to add this easily and perhaps improve detection.
    • It is also useful to detect if DNS services are present on your router.
thanks
 
Last edited:
You must log in or register to reply here.

Similar threads

Tsiikki
Custom local domains list loading
Replies
3
Views
884
DNS Benchmark
peterblaise
peterblaise
C
DNS Benchmark didn't notice the system DNS settings had been changed
Replies
1
Views
174
DNS Benchmark
Bplayer
B
G
Display bug with IPv6 Link Local addresses
Replies
2
Views
756
DNS Benchmark
GoonerW
G
argel1200
  • Contains 1 staff post(s)
Internal DNS?
Replies
16
Views
3K
DNS Benchmark
argel1200
argel1200
Teddy7
  • Contains 1 staff post(s)
DNS Benchmark - A winner!
Replies
1
Views
853
DNS Benchmark
Steve
Steve
Top Bottom
Back