Interesting thing.. I switched my Untangle to ComodoDNS, and ran a honeypot overnight to gather intelligence on this change. What I found the next morning was troubling to me.. Massive spam to Barefruit Ltd, and intelligence/analytical/hijacking firm. The main problem is I left no browser open on the honeypot, and this activity was taking place in the background while I was sleeping. Removal of ComodoDNS on the Untangle solved the problem immediately. My concerns are, this was happening with background window services, updates, and other background programs. No actual web browser was loaded. Also these bypassed normal firewall examination. Glasswire showed no activity, neither did Norton. Likely this is because they aren't examining Port-53 very closely. But I have Port-53 set to deep packet inspection - which revealed this activity. Anyone have any thoughts on this? https://en.wikipedia.org/wiki/Barefruit Barefruit works with Internet Service Providers (ISPs) and major portals to use a range of software solutions which modify the ISPs DNS service such as the BIND software and also a specialist proxy solution known as a "Frootbox" to capture the errors and redirect its clients to navigation pages that may contain sponsored listings and algorithmic results.
I've found 'scant' few references to Comodo and Barefruit in searches. Usually these are from a few Comodo forum posts.. https://forums.comodo.com/comodo-cl...o-i-unblock-a-processexecutable-t86948.0.html Apparently it's not widely disseminated that Comodo is using Barefruit to analyze, datamine, and perhaps hijack activity... It sort of reminds me how I discovered PasswordBox sending a large number of requests to datamining firm MIXPANEL, and nobody seemed to know it was happening. After much prodding, Passwordbox admitted they have an agreement with Mixpanel to harvest the data of people using their password manager.
When Comodo DNS get a NXDOMAIN request, the Error Redirection service shunts it off to Barefruit. This is really not mysterious. Verizon and Comcast in the US also use Barefruit. Many other will use Yahoo. Obiously you can bypass Barefruit by switching DNS servers or by changing the resolver. But what you should really be wondering about is what is sending malformed requests in the absence of user input.
Agreed, without user input - why is it doing this? Please note; 1) NO browser sessions were open, the machine was 'idle'. The activity in the above log was in the very early morning hours. 2) NX Domain assumes incorrect redirects, this appears to be directing more than NX as no malformed requests were levied. 3) This is the first time I have seen Barefruit redirects from a DNS change at the router level. Usually it's at the ISP level. All pretty mysterious, and disconcerting. I'd advise people using Comodo to consider these findings, and perhaps consider not using it until it's understood what it is doing.
Quick nslookup tests appear to confirm that Comodo DNS servers 8.26.56.26 & 8.20.247.20 are setup for NXDOMAIN redirection to 92.242.144.50. Note that those servers *might* being returning 92.242.144.50 in other situations as well. Logging DNS query/response info or capturing the actual DNS traffic would show you what was being looked up when 92.242.144.50 was returned, and help you to understand what was/is going on.
I do know how to do all of that, and also have gear for hardware level monitoring/inspection. I haven't bothered to turn on Port-53 logging to check yet, or run some deeper inspection. I simply removed it. But felt people may want to know something smells fishy.
I know this as Peerblock blocked Barefruit, but when I recommended Comodo DNS in Norton thread I forgot that you cared analytics (Mixpanel) in Webroot thread. Though I don't care much about analytics (but care to some extent), still I don't like Comodo DNS, as they are slow for me (thanks to distance). Currently using Norton CS but still searching for alternatives (better with DNS Crypt).
Fishy part is - redirects taking place at a high degree, without any web browser open, or redirects. That's a problem, and to me - if I cared about using it I would invest time to find out what is going on. My gut instinct is they are using it for something other than the normal use of NX, possibly to boost revenue by creating NX's where they don't exist? As you can see from the logs, there is a huge amount of background activity when the machine isn't even being used, and no web browsers are loaded. Either way, people should know this is happening, and base their decision on using it with all of these considerations.
So this is in the AM when everyone is in bed sleeping? This is concerning to me. I haven't used Comodo DNS previously but I will do more research if I ever did plan to use it now in light of this. All the more reason to run our own DNS servers, I suppose.
What I find strange here - all of those requests happen in a burst every 15 minutes. No more, no less. Check your tasks and see if there is anything on your system that tries to call in/out every 15 minutes.
Well, this *might* not be "fishy" in the sense that there is something going on that is not yet discovered and understood. However, even vanilla NXDOMAIN redirection/substitution/hijacking is of concern. Especially in contexts where security/privacy is important, and even more so when the DNS provider is causing exposures to additional parties. I think it would wise to investigate even if you don't intend to use Comodo DNS servers. Theoretically, you might be seeing NXDOMAIN results because of a misconfiguration, outdated software, even malware that has gone undetected (edit: on YOUR side). You could look for such results even without switching back to Comodo DNS servers, but might find it helpful to switch back temporarily. FWIW, the 92.242.144.50 responses I saw had a TTL of 1 second.
What worries me a bit is this was on a fresh VM with almost nothing on it, and a fully updated Win. But yes, and might be worth looking into it. Comodo has not responded to me.
I don't recall the specifics, but I do remember seeing unexpected queries for non-existent hosts from a fresh Windows 7 box and related to WPAD (https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol). Compounded by domain suffix appending. Even after I thought my configuration changes would suffice to eliminate such queries. There was either something non-obvious (to me at least) in there or I had to resort to a brutish way to eliminate them. I think I saw the queries shortly after startup. This may not explain what you are seeing, but I figured I'd mention it. If you are going to bother to examine things, might as well do so during and after boot. Edit: Cold boot and externally, just in case firmware is involved.
I did a search for 'Barefruit' over at the Comodo forums and there seems to be a lot of questions about it but no real answers.
Some interesting details here: http://superuser.com/questions/746231/i-switched-to-comodo-dns-and-i-get-a-local-domain-prompt More details here: http://www.dpreview.com/forums/post/41478390 It appears Comodo DNS has been partnering with Barefruit since at least 2011/2012. But what I don't see anywhere is anything official at all from Comodo, not a word.
For what it's worth: OpenDNS doesn't do redirects anymore, though I personally recommend the use of DNSCrypt over standard DNS.