So, I have a local recursive DNS cache server, primarily to speed up my internet, but also to block ads and malware infested websites. I usually don’t store the domain query logs, but a week ago, I decided to do that, so that I can keep an eye on my devices.
Today, I was checking the query logs on a whim, when I found several random requests to *.apps.mil from my devices.
I obviously blocked it immediately. I have never been to a .mil website before (why would I need to?), so I wouldn’t have any cookies stored in my browsers. Moreover, I wouldn’t want my devices to connect to a service without my knowledge.
Now that I had put a Band-Aid solution in place, it was time to look into it in detail.
In the course of learning more about that specific domain, I came to know that .mil TLDs are not supported by ICANN lookup services. ICANN lookup usually gives you a whole lot of information about a domain. You can try for yourself here.
See how I have DNSSEC enabled? It is an important feature every network engineer should enable (really, it only takes a few lines of codes) to ensure your website is not spoofed. Incidentally, I noticed that the apps.mil domains have DNSSEC enabled. So, I did the next best thing I knew; I tried to find out the chain-of-trust of the DNSSEC key associated with those domains in order to find out their IP addresses. You can try out the tool for yourself here. What I found for apps.mil is this:
I found the following three IP addresses associated with the domain:
1. 131.77.60.235
2. 152.229.110.235
3. 214.3.125.231
Now that I have the actual IP addresses, it is time to find out where they are located, which ISP they use, etc.! There are way too many tools to do that, what I have personally found to be very accurate time and again is this. The results are:
1. https://db-ip.com/131.77.60.235
2. https://db-ip.com/152.229.110.235
3. https://db-ip.com/152.229.110.235
All three of these IP addresses use the same ISP, DoD Network Information Center. The first two IPs yield the same location in Columbus, Ohio (map on top). The third yields a location in Chicago (map at the bottom), and as you can clearly see, both are Federal buildings.
Am I important enough to be specifically targeted by the NSA? Nope. But do I know that NSA snoops on all communications? Yep. Am I a collateral to their blanket domestic snooping? Probably. Do I need to secure my network more? Drastically. Can I do it? Probably not.
So what do I do now? Nothing! I just have to hope my Band-Aid solution keeps the leak in check, because I am definitely not technically knowledgeable enough to escape the Big Brother. We just have to wait to see what, if anything, happens!
What can you do? Install Pi-hole. Seriously, it’s a good place to start for securing your network. Keep an eye out for unauthorized connections and block them. Will it stop all government snooping? Definitely not! But it will deter the simplest of these kinds of attacks. Use a VPN, always. Don’t trust your ISP to protect your data, they won’t. I use Verizon Fios, I hate the company, but I was forced to get them either way; cartel-style territorial monopolies are the worst. I still had a choice (my only other choice was Comcast, but you know I couldn’t have chosen the most hated company in America, right?), most people in America don’t even have that luxury. Stay vigilant, but not to the point of wearing a tin-foil hat. And as always, please don’t perpetuate “if you have nothing to hide, why do you need privacy”.
