Hacking WARNING: Vodafone customers in Spain might not be blocking updates

[Garfieldo_Menkjel]

UPDATE:
At least for some of its customers' home routers Vodafone Spain is activating a non user modifiable setting which prevents specified DNS servers to take effect.
The net effect in this situation is that just using Tubehax/Chncdcksn dns servers DOES NOT BLOCK SYSTEM UPDATES

Solutions include

• Calling Vodafone and asking for "proxy dns" removed from your router (@xabier). Absolutely try this!!!
  
• Setting up you own local dns proxy (@FAST6191).
• Removing dns proxy from the router yourself via admin-level configuration web pages. I might help attain admin access to the router, just send a PM.

Original post, for context

TL;DR
If your home Vodafone service includes a SERCOM VD1018 model router, server names in CDN urls are resolved regardless of how you configure DNS settings on your WiiU. See below for further information and workaround.

This might affect other Spanish (non Spanish too?) Vodafone customers with similar routers so if you're one of them I recommend actually checking eshop access on your console while having Tubehax/Chncdcksn DNS servers setup.

What the hell?
This shitty router is intercepting outgoing DNS requests and servicing them by its own means. I doesn't matter what servers you put into your WiFi client setup. Even if you put invalid ip addresses, or private ones for that matter, FQDNs are going to be resolved no sweat.

Workaround
There's just one exception to this behavior: although all DNS requests must pass though the WiFi router, only the ones leaving the local network are intercepted. DNS requests addressed to a host in the local LAN are left alone.

This opens the door to setting up a local DNS server somewhere in your LAN and have it forward all requests upstream except for CDN ones.

Other than this, I can only recommend removing your console form the net by configuring some unused/free local ip in your DNS settings. You won't have internet access but at least you wont be creating/deleting connections every time you want temporary internet access.

Further investigation
This router's user-level admin interface is severely limited. There's nothing in it of any help regarding this issue. Latter today I'll be unlocking the admin-level interface and report back any findings.

 

[EmanueleBGN]

Yes, in old routers of Vodafone is impossible to change DNS.
I have a "Vodafone Station 2" and I have this problem too; but seems that with the "Vodafone Station 3" is possible to change the DNS with the app - obviously I don't want spend other 100€ to buy the new router...
I think that the best option is directly change operator and go with the bigger of your Country (Telefónica for Spain, Telecom for Italy)

 

[FAST6191]

Though I am fully prepared to hear the ISP branded and foisted router/modem is awful, mainly by virtue of never having seen a good one unless it was hacked to DDWRT or something, I do have to ask if you first cleared the cached stuff. DNS requests are a tiered thing so if it somehow knew what went otherwise then it might pass that along.

That said DNS is hard and the average consumer would not be fiddling with this, or at least they think so, so I would not be surprised to see it do its own requests or something rather than properly implement protocols.

On running your own DNS I am sort of surprised more people don't. I have no expectation of malice and certainly no evidence of it but should I or another IT type propose using some random DNS for something, much less one purposely offered by those inclined to hack, then fired on the spot would be the result. Might have to go look how easy it is to do on a raspberry pi or something.

 

[Garfieldo_Menkjel]

Though I am fully prepared to hear the ISP branded and foisted router/modem is awful, mainly by virtue of never having seen a good one unless it was hacked to DDWRT or something,

This is one of those combined IPTV/VoIP/Internet services most operators are pushing over here. For Vodafone al userids, passwords, VLAN tags for the different services, etc. is considered secret and never shared with its customers. The router is configured via TR69 and that's it.

Admittedly you can gain privileged access to the device and replicate these configs in openwrt (as I do). Then adjust every time the ISP changes something. That's in fact what I was doing when I found this issue.
At any rate all of that is not really feasible for everyone, not easily explainable in layman's terms.

I do have to ask if you first cleared the cached stuff. DNS requests are a tiered thing so if it somehow knew what went otherwise then it might pass that along.

No cache involved except for the localhost one (of course cleared). You tell your dhcp client to not use provided nameserver, your host resolves fqdns using your configured nameserver.

As said before this router intercepts dns requests going to the internet and forwards to its own configured nameserver. It does it for any non local nameserver ip address, even invalid or private ones!!

Say your local LAN addressing is 192.168.0.24, and configure nameserver 172.16.0.1 (non internet routeable) as nameserver. Your host will be seemingly receiving dns responses from a private address host over the internet.

On running your own DNS I am sort of surprised more people don't. I have no expectation of malice and certainly no evidence of it but should I or another IT type propose using some random DNS for something, much less one purposely offered by those inclined to hack, then fired on the spot would be the result. Might have to go look how easy it is to do on a raspberry pi or something.

Setting a forwarding, non internet facing, dns server at home is quite easy even with pre-packaged software. The moment said server has to do something else dns related, it becomes nearly impossible to do it well..

--------------------- MERGED ---------------------------

Yes, in old routers of Vodafone is impossible to change DNS.
I have a "Vodafone Station 2" and I have this problem too; but seems that with the "Vodafone Station 3" is possible to change the DNS with the app - obviously I don't want spend other 100€ to buy the new router...
I think that the best option is directly change operator and go with the bigger of your Country (Telefónica for Spain, Telecom for Italy)

Surely changing router's dns server is an option (not doable by regular user means :-().
At any rate I don't think having everyone directing all of their network's dns traffic though Tubehax/Chncdcksn servers is a good idea.

Switching operators here is geo-constrained. Movistar has no FTTH coverage at my location, just 2 Mbps ADSL.

 

[Carl Lord]

its the same for movistar as well i am unable to access the router i am using Eurona at the moment with the same problem i just block all sites using a second router pluged in to the main router

 

[xabier]

Call vodafone and tell them to allow you using your own dns servers (desactivar proxy DNS_). I did it some months ago, it took less than 10 minutes. Then you can set your own dns servers on your computer, console, phone... you dont need to access the router for this.

 

[Garfieldo_Menkjel]

its the same for movistar as well i am unable to access the router i am using Eurona at the moment with the same problem i just block all sites using a second router pluged in to the main router

hmm.. getting a tad out of topic here but.. I had Movistar until recently at a previous address and they're more open regarding configuration SIP credentials and such. Don't use a second router, that gives you double nat and few other benefits. There are templates for autoconfiguring openwrt for Movistar quite easily.

Call vodafone and tell them to allow you using your own dns servers (desactivar proxy DNS_). I did it some months ago, it took less than 10 minutes. Then you can set your own dns servers on your computer, console, phone... you dont need to access the router for this.

That's surely the best solution for people using Vodafone's router :-)
The point of my post was just to alert people that they might not be actually blocking updates while believing they were.

 

[FAST6191]

Calling works? I am stunned. Calling BT, virgin, talktalk or whatever in this country is a nightmare and trying to get people to so much as deviate from the script.

 

[Garfieldo_Menkjel]

Calling works? I am stunned. Calling BT, virgin, talktalk or whatever in this country is a nightmare and trying to get people to so much as deviate from the script.

Not in my previous experiences with Movistar/Vodafone/Orange. It always took forever to get past canned-answer-spiting service representatives to get anything done.

That said, I have no reason to doubt @xabier. Maybe this particular request is one of the few level 1 support agents are empowered to directly act on.

 

[GreenLink]

Same with Unitymedia here in Germany...
Their routers accept only IPv6-DNS servers....

 

[jsa]

Same with Unitymedia here in Germany...
Their routers accept only IPv6-DNS servers....

I have an /64 of IPv6 addresses so I could setup a proxy to TubeHax DNS / whatever, if you'd like.

 

[Garfieldo_Menkjel]

Same with Unitymedia here in Germany...
Their routers accept only IPv6-DNS servers....

Doesn't the router just let pass through IPv4-DNS requests sent from your wiiu?
Or does it tamper/translate-to-ipv6 them?

Those ISPs are out of their mind with stuff like this..

 

[GreenLink]

@Garfieldo_Menkjel nope, it doesn't allow IPv4-DNS requests to pass through, it's because of dual stack lite, which means: the Wii U can access IPv4 and IPv6, but someone with IPv4 can't access my Wii U, only with IPv6. I know, really annoying. But I've got my RasPi for things like that .

@jsa Thanks for the offer, but I still need to access NUS on my computer

 

[xabier]

Vodafone doesnt allow you to change your dns to protect you from malware, even using another router doesnt work. They ignore your DNS settings unless you tell them to stop doing it.

 

[Garfieldo_Menkjel]

Vodafone doesnt allow you to change your dns to protect you from malware, even using another router doesnt work. They ignore your DNS settings unless you tell them to stop doing it.

in the context of this thread:

• It has been told here that if you ask VF they'll kindly remove dns proxy. Cannot confirm myself, didn't try.
  
• Setting a second router as a dmz host wont prevent dns proxying but will allow filtering update servers name resolution
• Setting a dns proxy on the local LAN will allow the same.
• Installing a different router *istead of* that of Vodafone will allow you do anything you feel fancy
• Accessing VF's router at admin level will allow you to remove dns proxy yourself.
• If none of the above things is done, updates are not blocked by just setting up Tubehax/Chncdcksn name servers

 

[MikeLDN]

Hi Garfieldo_Menkjel , how can I send you a PM on this forum, O would like to access my router as every ti,e they push an update, I need to call them again not only that, but on level 1 they don't know what to do so have to pass it to level 2 so it's another 24-48 hours.

would love to have control of my Advanced Equipment.

Rgds
Mike

 

[Patxinco]

Just finished talking with them, now DNS-U works flawless. They guy who i was talking didn't even know/wanted to know what i was talking about, but he finally deactivated it!!!!

 

[Garfieldo_Menkjel]

Hi Garfieldo_Menkjel , how can I send you a PM on this forum, O would like to access my router as every ti,e they push an update, I need to call them again not only that, but on level 1 they don't know what to do so have to pass it to level 2 so it's another 24-48 hours.

would love to have control of my Advanced Equipment.

Rgds
Mike

Sorry it took so long to come back to you.
Don't really know how to PM here, cannot see an option for that.

Accessing the admin interface is the only real option as the configuration VF techs do per request is overriden every time a TR69 update is rolled out.
Not willing to share personal info in the forum so not sure howe to proceed from here..

 

[AmandaRose]

Sorry it took so long to come back to you.
Don't really know how to PM here, cannot see an option for that.

Accessing the admin interface is the only real option as the configuration VF techs do per request is overriden every time a TR69 update is rolled out.
Not willing to share personal info in the forum so not sure howe to proceed from here..

To pm someone simply click on their name then there will be an option to pm them just bellow where their name is.

 

[exelix11]

Just passing by: While i was a Vodafone costumer I had this problem too, to solve it i made this tool and even published it here on gbatemp, but quite a few people know about it, the only downside is that you need a pc every time you want to go online, you can run it on a raspberry pi too.
I switched to another isp now but i still use it cause i don't really trust the public dns services