Virgin Media, why are you manipulating my traffic?
- 6th April: TalkTalk appear to be doing something similar
- 7th April: Plusnet are doing it too. The responses to my post have hightlighted that using DNSCrypt + OpenDNS doesn’t allow you to opt out of this behaviour which suggests a deal between the ISPs, Google and OpenDNS has been made.
Virgin Media why does www.google.com resolve to host-62-253-8-99.not-set-yet.virginmedia.net? What a funny name for a PTR record, but seriously, why are you manipulating my traffic?
I was testing something only to find that google.com, google.co.uk both resolve to an IP address owned by Virgin Media.
_PING google.com (188.8.131.52): 56 data bytes 64 bytes from 184.108.40.206: icmpseq=0 ttl=58 time=17.569 ms
host 220.127.116.11 18.104.22.168.in-addr.arpa domain name pointer host-62-253-8-103.not-set-yet.virginmedia.net.
dig a google.com +trace fools me into thinking that ns1.google.com is dishing out these Virgin owned IPs, yet a query from elsewhere tells me otherwise.
Using Virgin Media
dig a google.com @ns1.google.com ;; ANSWER SECTION: google.com. 300 IN A 22.214.171.124 google.com. 300 IN A 126.96.36.199 google.com. 300 IN A 188.8.131.52 google.com. 300 IN A 184.108.40.206 google.com. 300 IN A 220.127.116.11 google.com. 300 IN A 18.104.22.168 google.com. 300 IN A 22.214.171.124 google.com. 300 IN A 126.96.36.199 google.com. 300 IN A 188.8.131.52 google.com. 300 IN A 184.108.40.206 google.com. 300 IN A 220.127.116.11 google.com. 300 IN A 18.104.22.168 google.com. 300 IN A 22.214.171.124 google.com. 300 IN A 126.96.36.199 google.com. 300 IN A 188.8.131.52 google.com. 300 IN A 184.108.40.206
dig a google.com @ns1.google.com ;; ANSWER SECTION: google.com. 300 IN A 220.127.116.11 google.com. 300 IN A 18.104.22.168 google.com. 300 IN A 22.214.171.124 google.com. 300 IN A 126.96.36.199 google.com. 300 IN A 188.8.131.52 google.com. 300 IN A 184.108.40.206
Most odd. Especially seeing as I do not use Virgin Media’s DNS resolvers, I use OpenDNS.m7.lon.opendns.com to be exact, according to www.dnsleaktest.com. OpenDNS’ cache check matches my other ISP, a whole bunch of IPs none of which are anywhere near this 220.127.116.11/24 we’re seeing from Virgin Media.
So for some reason Virgin Media someone is manipulating the DNS response I recieve from OpenDNS’ 18.104.22.168, 22.214.171.124 for google.com, google.co.uk and possibly other domains. They’re also proxying google.com to me as loading http://126.96.36.199 in a web browser shows me Google’s home page, creepy. Ok so where does a traceroute take me?
traceroute: Warning: google.com has multiple addresses; using 188.8.131.52 traceroute to google.com (184.108.40.206), 64 hops max, 52 byte packets
- 1 192.168.1.1 (192.168.1.1) 4.610 ms 4.257 ms 34.474 ms
- 2 cpc10-sotn8-2-0-gw.15-1.cable.virginm.net (220.127.116.11) 22.904 ms 79.800 ms 14.122 ms
- 3 sotn-core-2a-ae6-610.network.virginmedia.net (18.104.22.168) 13.692 ms 12.621 ms 11.575 ms
- 4 popl-bb-1c-ae14-0.network.virginmedia.net (22.214.171.124) 33.107 ms 16.609 ms 27.541 ms
- 5 brnt-bb-1c-et-000-0.network.virginmedia.net (126.96.36.199) 28.404 ms brnt-bb-1c-et-510-0.network.virginmedia.net (188.8.131.52) 15.146 ms 25.651 ms
- 6 haye-icdn-1-ae0-0.network.virginmedia.net (184.108.40.206) 14.849 ms 16.701 ms 16.381 ms
- 7 * * *
- 8 * * *
Most interesting that it stops here: haye-icdn-1-ae0-0.network.virginmedia.net (220.127.116.11)
haye-icdn-1, what do you do? A quick google (ironic) reveals this thread titled ‘Virgin hijacking’. One user suggests:
Content Distribution Network ran by Virgin to try and speed things up. It’s not really hijacking, per-se and if it worked, it would actually be a good thing. The problem is, it’s heavily congested so has the opposite effect.
I have no idea why Virgin and OpenDNS feel the need to proxy or CDN google.com for me. The ping response time to one of Google’s actual IPs is 20.049 ms. From now on I will encrypt my DNS traffic to OpenDNS using DNSCrypt and one of the suggested DNS providers, it takes 5 seconds to install their app.
Ahh, that’s better :-)
- My Virgin SuperHub is in modem mode
- It’s entirely possible Virgin Media has struck a deal with OpenDNS however I couldn’t find mention of that anywhere and it seems unlikely. The responses to this post have led me to believe some deal has been made.
Discuss at HN: https://news.ycombinator.com/item?id=7504737