Bypassing a DNS man-in-the-middle attack against Google Drive | /var/blog
Boston to New York City is a frequently traveled route, so a number of different bus lines provide service between the cities. Most offer free WiFi as an amenity. However, all WiFi is not created equal. Today I was traveling by the Go Bus, and I assumed I'd be able to do some work on the bus. I needed to access a document on Google Drive. However, when I tried to open Drive, I was greeted with this sight. I use OpenDNS instead of relying on my ISP's DNS servers, and I figured that there was some error on OpenDNS's end. So, I changed my /etc/resolv.conf to use the Google DNS servers, figuring that that would work. No luck. At this point, I realized that the bus network must be hijacking traffic on port 53, which was easy to test. dig gave me the following output: Visiting directly gives the following page. Saucon TDS uses OpenDNS for DNS lookups, but they redirect undesired lookups to their block page. I confirmed this by asking my neighbor across the