1
Scenario: A hardware router is used to connect a network to the Internet. The router uses the ISP's DNS servers and features an up-to-date firmware (no vulnerabilities known). DNS caching is disabled. As far as known, all domain names usually resolve to the familiar IP addresses (=> no other abnormalities noticed).
Recently, the following weird event in the above mentioned network was noticed:
After having been normal just seconds before, www.google.de suddenly did not resolve to an IP address from the normal US American Google IP ranges any more. Instead, the router returned a real bunch of Vietnamese IP addresses belonging to a single /24 net! This was not specific to the client workstation, as this could be seen in the router log file, too. (So the reason cannot be malware on the client.) The output of nslookup follows (IP addresses censored):
$ nslookup www.google.de
Nicht autorisierende Antwort:
Server: UnKnown
Address: 192.168.yy.yy
Name: www.google.de
Addresses: 2a00:1450:...
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
203.113.xx.xx
Accessing the site in Firefox showed that the weird IP addresses were used but a valid HTTPS certificate for the correct CN was presented!
A retry about one minute later showed the DNS resolution became normal again and gave the familiar IP addresses again. Probably www.google.de was the only domain name affected. www.google.com and other tested names were not affected. The problem cannot be reproduced any more and is not persistent.
What do you think about this?
Was the local router tricked or maybe even the provider's DNS server?
I thought about introducing a local DNS cache server that asks several DNS servers and compares the results before returning IP addresses to the client. Reasonable?
mindy10023328
Posted 2015-08-07T19:41:01.073
Reputation: 11