I'm being redirected to a parking site when dns resolution fails

I've just realized that when I enter an URL in the browser and navigate there, if the site doesn't exist I get redirected to a parking site full of ads. Confirmed that the site doesn't exist after checking WHOIS information (domain is available, etc.). My home setup is just a wifi-router with an ADSL service, and my devices going through that wifi connection.

My tests so far:

Navigate to http://laksdkajsndkajndkasn.net >> get 302 redirect to malicious page
Navigate to http://laksdkajsndkajndkasn.net (other browser) >> get 302 redirect to malicious page
Navigate to http://laksdkajsndkajndkasn.net (mobile connected to same network) >> redirected to malicious page
Navigate to http://laksdkajsndkajndkasn.net (mobile connected to 3G network) >> NOT redirected to malicious page
Curl http://laksdkajsndkajndkasn.net >> resolves an IP address but get a 404 response with content-length 0. Go to that IP in the browser >> redirects to parking site.
dnslookup http://laksdkajsndkajndkasn.net >> I see that IP under "Non-authoritative answer:"

I guess this could be something bad/malicious in my connection/setup/isp, but I would appreciate any directions to troubleshoot this issue.

Matias

Posted 2013-04-07T03:24:44.793

Reputation: 291

welcome to superuser, now tell us More info :-) who is your ISP? what are the numbers shown for your DNS? What is your operating system? If its windows, what if anything is in the HOSTS file, other than the sample stuff. "Spyware blasters" evil activeX blockers (registry) and evil site lists restriction (IE security) Can filter out some of that stuff, Assembled Hosts blocking files can block out some of it too, all passivly (not running program) What is the browser(s) that your using? – Psycogeek – 2013-04-07T04:34:59.337

1@Psycogeek thank you. I use linux but there are other devices using windows connected to the network. After following guidance from the answer below I realized one of those computers was infected. – Matias – 2013-04-07T05:12:35.663

Answers

That would be your ISP 'helping' you.

http://whatis.techtarget.com/definition/DNS-redirection

Or as was pointed out in the comments, your DNS server was compromised or your gateway's DNS settings were changed to point to a malicious DNS server.

See http://www.dcwg.org/ for information on one example of DNS changing malware that targets SOHO routers and how to check/remove the problem.

cpt_fink

Posted 2013-04-07T03:24:44.793

Reputation: 377

More details available: http://en.wikipedia.org/wiki/DNS_hijacking

– Chris S – 2013-04-07T03:58:32.003

Thanks for the answer. So other people with my same ISP might experience the same thing right? what's odd is that the resulting page is unrelated to my country, and does not contain any isp branding, etc. Also, the whois for the parking domain is registered under https://subreg.cz/cz/ which is totally unrelated to my country. Those are the facts that makes me doubt.

– Matias – 2013-04-07T04:07:35.270

2@Matias It's possible that your DNS server or the machine acting as the network's default gateway has been compromised. – Andrew B – 2013-04-07T04:09:01.883

1It could be somone upstream of you but downstream of your ISP. What is the DNS server set up on your router (which I assume is setting the DNS setting on your machines via DHCP or acting as a DNS server itself) – Scott Chamberlain – 2013-04-07T04:09:05.810

1The redirection would be dependent on the DNS servers you are hitting. If you are configured to use DNS servers in the Czech Republic, or the servers you are using are forwarding to DNS servers there it could happen. – cpt_fink – 2013-04-07T04:10:33.180

Thanks for the info. I realized that I was not able to login to the router admin page (credentials didn't work). After doing a reset, the problem went away. Maybe my router got compromised, not sure. Not sure if that has something to do with default credentials but thought it was not possible to access it remotely. Maybe one machine is compromised and they compromised the router from there. I will keep investigating; thanks again. – Matias – 2013-04-07T04:42:58.857

1If that fixed your problem you definitely need to scan PC's and secure your router. The dcwg.org (DNS Changer Working Group) page linked above has a 'fix' page with helpful instructions. – cpt_fink – 2013-04-07T04:45:12.290

Sometimes is not about DNS hijacking.

Some spy toolbars/extensions check the return codes of the pages you navigate and redirects you to some custom error pages or parked pages if the return code is not 200 (OK). Check your extensions and also check your installed programs list for toolbars because some programs install them silently taking advantage of our habit of accepting terms automatically.

EDIT: I've just read in the comments that was DNS hijacking. I keep here the answer so future users know about this.

Jorge Fuentes González

Posted 2013-04-07T03:24:44.793

Reputation: 625