Disclaimer :: this information is just my technical opinion, however the basic facts have been confirmed by BT technical support.
When you make a DNS request through BT, BT intercepts the request at packet level, by this I mean it intercepts requests made on UDP port 53. It then services those requests using their own DNS servers, and returns the result to you, while pretending to be the nameserver you were wanting to or expecting to query.
Why is this a problem?
BT are effectively censoring which domains you are allowed lookup and hence which websites you can visit, while at the same time advertising “totally unlimited broadband”. I guess you could exclude this reason if you’re cool with BT telling you which parts of the Internet you can look at.
Secondly, it appears that their filtering system doesn’t always work as expected and it filters sites ‘unexpectedly’, indeed it can prevent you from looking at some sites, even tho’ BT are not explicitly trying to block them.
Thirdly, it appears that VERY few people inside BT actually know this is happening, let alone know how this is happening or what makes the filtering tick. So, what happens if the Syrian Electronic Army hijack BT’s DNS servers? What happens if one of BT’s DNS servers gets corrupted (it can happen!) and starts giving out the wrong results?
But what if I want to directly query a DNS server, like Google on 126.96.36.199?
The really scary bit …
BT think they can filter the Internet without telling anybody.
BT think that spoofing replies from other peoples servers (without telling anyone or seeking permission from either server or client) is “Ok”.
I asked a question earlier of someone inside BT who I thought competent to provide an accurate answer, it was;
“If BT, or someone inside BT decided to spoof an entire site by redirecting the DNS to a copy of the site that had been modified or censored in some way, how would I as a customer be able to tell?”
“Erm, I guess you wouldn’t …”
And the followup …
If something like this happened, how many people inside BT would be capable of spotting it (if they were looking for it) ??
BT Customer … Not afraid yet?
Next time you look at a website, consider that the process of converting the domain name you requested to an internet address, as performed by your browser, has been interfered with and the site you are looking at is the site BT have directed you to, which may or may not be the site you requested.
Sure, brush it off … but next time you log into your online banking and it tells you that you’ve entered the wrong password, remember this post!
Caveat :: this appears to be something new BT are doing to broadband connections taken out after the middle of December 2013, or at least for the moment, so if you have an older line, you may not have this issue … yet.