Suspected (DNS) exploit kit on ASUS RT-N66U

[DarkBBQ]

The difference is between www.google.com and google.com

# nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      google.com
Address 1: 2a00:1450:4009:802::200e lhr25s07-in-x0e.1e100.net
Address 2: 216.58.208.142 lhr25s08-in-f14.1e100.net

Ah, my bad. thanks.

nslookup www.google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.google.com
Address 1: 2a00:1450:400f:805::2004 arn06s07-in-x04.1e100.net
Address 2: 83.140.66.42 83.140.66.42.biz.sta.port80.se
Address 3: 83.140.66.38 83.140.66.38.biz.sta.port80.se
Address 4: 83.140.66.19 83.140.66.19.biz.sta.port80.se
Address 5: 83.140.66.30 83.140.66.30.biz.sta.port80.se
Address 6: 83.140.66.29 83.140.66.29.biz.sta.port80.se
Address 7: 83.140.66.59 83.140.66.59.biz.sta.port80.se
Address 8: 83.140.66.53 83.140.66.53.biz.sta.port80.se
Address 9: 83.140.66.45 83.140.66.45.biz.sta.port80.se
Address 10: 83.140.66.23 83.140.66.23.biz.sta.port80.se
Address 11: 83.140.66.15 83.140.66.15.biz.sta.port80.se
Address 12: 83.140.66.49 83.140.66.49.biz.sta.port80.se
Address 13: 83.140.66.44 83.140.66.44.biz.sta.port80.se
Address 14: 83.140.66.34 83.140.66.34.biz.sta.port80.se
Address 15: 83.140.66.27 83.140.66.27.biz.sta.port80.se
Address 16: 83.140.66.57 83.140.66.57.biz.sta.port80.se

 

[CrazyCanuck]

Try using dns advantage with ipv6 disabled. You might have to reset your router. It's the most secure dns server that I know of. You can go to grc.com/dns to see if the dns server is secure.
156.154.70.1
156.154.71.1

https://www.neustar.biz/services/dns-services/dns-advantage-free-recursive-dns

 

[sfx2000]

DNS Advantage is fairly solid as a public DNS...

The big concern with Neustar is that they're a primary provider for CALEA (Lawful Intercept)...

 

[ColinTaylor]

I'm not aware of any of this, not being in the USA. But googling out of curiosity turned up this:

http://www.subsentio.com/ssio_pr/subsentio-acquires-lawful-intercept-business-from-neustar/

So I don't know whether that means Neustar have moved out of the spying business.

 

[sfx2000]

I'm not aware of any of this, not being in the USA. But googling out of curiosity turned up this:

http://www.subsentio.com/ssio_pr/subsentio-acquires-lawful-intercept-business-from-neustar/

Neustar does a lot of Government and Telecom business...

BTW - they are a great company...

 

[mos]

hi guys, was this issue resolved? or did you find the root cause for this?

I have experienced the same, my wife reported "google outage" and I started to look around. any DNS query except google was running perfectly fine.

I'm runing 380.63_2, didnt find any suspicious in /etc/dnsmasq.conf or in iptables NAT tables. /tmp/resolv.conf was pointing to my ISP DNS.

now the funny part, I changed "Connect to DNS Server automatically" to NO and set OpenDNS. everything started moving the right way. switched to ISP DNS, and 127.0.0.1 response is back, I could reproduce the problem multiple times in a row.

Unfortunately after about 30 min (and multiple reboots), the response is back to normal and I cannot reproduce the 127.0.0.1 response for google.com anymore to provide a tcpdump or anything similar.

The IT guys from the ISP confirmed that there was no outage on the DNS infra. I will keep an eye on this and get some dumps if time permits.

######## On the router itself:

# nslookup www.google.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: www.google.com
Address 1: ::ffff:127.0.0.1
Address 2: 127.0.0.1 localhost.localdomain

# nslookup google.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: google.com
Address 1: ::ffff:127.0.0.1
Address 2: 127.0.0.1 localhost.localdomain

######## I tested DNS lookups on the wifi client, of course it was the same

[21:17:33][Tue Nov 22]:~ dig www.google.com

; <<>> DiG 9.10.4-P3 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 0 IN A 127.0.0.1

;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Nov 22 21:18:05 CET 2016
;; MSG SIZE rcvd: 48

[21:18:05][Tue Nov 22]:~ dig google.com

; <<>> DiG 9.10.4-P3 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16826
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 0 IN A 127.0.0.1

;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Nov 22 21:18:10 CET 2016
;; MSG SIZE rcvd: 44

 

[RMerlin]

I have experienced the same, my wife reported "google outage" and I started to look around. any DNS query except google was running perfectly fine.

Sometimes it's a badly cached record that can cause issues with specific sites. I've seen it happen with a few servers. Windows DNS server for instance is infamous for randomly failing to resolve entire TLDs, until you flush the DNS server cache. Microsoft published a technet article on a way to mitigate the issue through a registry tweak (been years since I've delt with that specific issue, so I can't remember the details.)

If your ISP provides some kind of local cache for Google's servers, the issue might have been at that level, not at the DNS server level.

That TTL of 0 secs is equally interesting there IMHO.

 

[sfx2000]

With DNSMasq, to clear the cache, just restart it...

$ sudo /etc/init.d/dnsmasq restart

OR

$ service dnsmasq restart

 

[ColinTaylor]

With DNSMasq, to clear the cache, just restart it...

$ sudo /etc/init.d/dnsmasq restart

OR

$ service dnsmasq restart

Those won't work on AsusWRT as they are System V commands. The equivalent is:

service restart_dnsmasq
or
killall -SIGHUP dnsmasq

 

[sfx2000]

Those won't work on AsusWRT as they are System V commands

Yeah... and for systemd - but I shouldn't perhaps talk about that one

# sudo systemctl restart dnsmasq@virbr10.service

The world is moving forward...

 

[ColinTaylor]

The world is moving forward...

Never! BSD is more than enough.

 

[mos]

hi, magic was resolved it seems that routing to Google wasnt working correctly for Czech and Slovak republic between 19:30-21:00 CET 22/11/2016 and this was the root cause for the issue.

can be verified by external articles in local language
http://downdetector.com/status/google/news/90156-problems-at-google
http://downdetector.com/status/google/news/89973-problems-at-google
http://dsl.sk/article.php?article=19097
http://www.zive.sk/clanok/121045/google-nefunguje-problemy-maju-aj-dalsie-jeho-sluzby