3

Tools such as this are used to check whether your router is infected with malware that redirects your traffic via bad guys' DNS servers. How can these tools tell which DNS servers are actually used and whether they are legit or not? Answers to a similar question indicate that the tool makers are maintaining black lists of known bad servers. This doesn't seem feasible to me. Another point which isn't discussed is how exactly the tools know which DNS server made the request. A bad server doesn't necessarily send a direct request to the DNS server which owns the domain. So how does this whole thing work, exactly?

Community
  • 1
Atte Juvonen
  • 440
  • 1
  • 4
  • 10
  • "Which DNS server made the request" this part is confusing. While DNS servers can make requests (further up the chain) I don't think this is what you are talking about. Can you explain further? – d1str0 Nov 28 '16 at 02:25
  • The tooks work, but are by no means a magic bullet. They do exactly as stated, nothing fancy you couldn't do yourself. – John Keates Nov 28 '16 at 02:45
  • A malware DNS server could simply ask Google's DNS server for any given address. When the tool-makers' DNS server receives a request, it looks like it came from Google's legitimate DNS server. – Atte Juvonen Nov 28 '16 at 12:26

1 Answers1

1

Looking at tcpdump output and debugger output from running the tool, it appears that the page retrieves this URL:

https://dnscheck.sc.fsapi.com/prod/v1/router-checker

and gets a response that looks like this:

{ "ping_url" : "https://[arbitrary string].names.dnscheck.sc.fsapi.com/prod/v1/result?apikey=[arbitrary string]&output=dns" }

The arbitrary string in the hostname and the API key seem to change with each request.

... GETting that URL returns output like this:

{ "asn" : "12008", "asn_org" : "NeuStar, Inc.", "isp" : "NTT America", "org" : "NeuStar", "continent_code" : "NA", "continent_name" : "North America", "country_code" : "US", "country_name" : "United States", "registered_country_code" : "US", "registered_country_name" : "United States", "dns_ip" : "165.254.23.143", "known_public_dns" : "Norton ConnectSafe", "verdict" : "uncertain" }

.. so it looks like they've got a server set up to monitor the source of DNS lookups (which is why you get your own custom/random hostname to look up) and then make a report about the entity that made the request.

The example I show here is from Firefox, which is apparently being intercepted by a Norton service I didn't install; if I make the same request from Chrome, it shows data that identifies the request as coming from my upstream net provider.

So, as discussed in your question and the comments to your question, it looks like a smart bad DNS provider could just pass through all of their requests to Google or another upstream DNS provider, and this tool probably wouldn't catch them.

gbroiles
  • 301
  • 1
  • 7