top | item 7014769

(no title)

When you run dig @www.facebook.com news.ycombinator.com, it must query the default DNS for www.facebook.com; however, the ISP must return the real IP for www.facebook.com or the HTTPS establishment will fail because they cannot MiTM that connection.

So now dig has the actual IP for www.facebook.com, which it is now going to use for it's DNS query for news.ycombinator.com. The commenter observed this query is intercepted because it works (which it shouldn't).

discuss

No comments yet.