Comodo DNS - Not a good idea due to NXDomain Spam?

Discussion in 'other anti-malware software' started by Mayahana, Jan 18, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Interesting thing.. I switched my Untangle to ComodoDNS, and ran a honeypot overnight to gather intelligence on this change.

    What I found the next morning was troubling to me.. Massive spam to Barefruit Ltd, and intelligence/analytical/hijacking firm. The main problem is I left no browser open on the honeypot, and this activity was taking place in the background while I was sleeping. Removal of ComodoDNS on the Untangle solved the problem immediately. My concerns are, this was happening with background window services, updates, and other background programs. No actual web browser was loaded.

    Also these bypassed normal firewall examination. Glasswire showed no activity, neither did Norton. Likely this is because they aren't examining Port-53 very closely. But I have Port-53 set to deep packet inspection - which revealed this activity. Anyone have any thoughts on this?

    https://en.wikipedia.org/wiki/Barefruit
    Barefruit works with Internet Service Providers (ISPs) and major portals to use a range of software solutions which modify the ISPs DNS service such as the BIND software and also a specialist proxy solution known as a "Frootbox" to capture the errors and redirect its clients to navigation pages that may contain sponsored listings and algorithmic results.
     

    Attached Files:

  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It should say 'not'.. Morning coffee still entering my system I guess. o_O
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,296
    Location:
    England
    I've changed the title for you Mayahana.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I've found 'scant' few references to Comodo and Barefruit in searches. Usually these are from a few Comodo forum posts..

    https://forums.comodo.com/comodo-cl...o-i-unblock-a-processexecutable-t86948.0.html

    Apparently it's not widely disseminated that Comodo is using Barefruit to analyze, datamine, and perhaps hijack activity... It sort of reminds me how I discovered PasswordBox sending a large number of requests to datamining firm MIXPANEL, and nobody seemed to know it was happening. After much prodding, Passwordbox admitted they have an agreement with Mixpanel to harvest the data of people using their password manager.
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    When Comodo DNS get a NXDOMAIN request, the Error Redirection service shunts it off to Barefruit. This is really not mysterious. Verizon and Comcast in the US also use Barefruit. Many other will use Yahoo.

    Obiously you can bypass Barefruit by switching DNS servers or by changing the resolver. But what you should really be wondering about is what is sending malformed requests in the absence of user input.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Agreed, without user input - why is it doing this? Please note;

    1) NO browser sessions were open, the machine was 'idle'. The activity in the above log was in the very early morning hours.
    2) NX Domain assumes incorrect redirects, this appears to be directing more than NX as no malformed requests were levied.
    3) This is the first time I have seen Barefruit redirects from a DNS change at the router level. Usually it's at the ISP level.

    All pretty mysterious, and disconcerting. I'd advise people using Comodo to consider these findings, and perhaps consider not using it until it's understood what it is doing.
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Quick nslookup tests appear to confirm that Comodo DNS servers 8.26.56.26 & 8.20.247.20 are setup for NXDOMAIN redirection to 92.242.144.50. Note that those servers *might* being returning 92.242.144.50 in other situations as well.

    Logging DNS query/response info or capturing the actual DNS traffic would show you what was being looked up when 92.242.144.50 was returned, and help you to understand what was/is going on.
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I do know how to do all of that, and also have gear for hardware level monitoring/inspection. I haven't bothered to turn on Port-53 logging to check yet, or run some deeper inspection.

    I simply removed it. But felt people may want to know something smells fishy.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I know this as Peerblock blocked Barefruit, but when I recommended Comodo DNS in Norton thread I forgot that you cared analytics (Mixpanel) in Webroot thread.
    Though I don't care much about analytics (but care to some extent), still I don't like Comodo DNS, as they are slow for me (thanks to distance).
    Currently using Norton CS but still searching for alternatives (better with DNS Crypt).
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    There's nothing "fishy". Your NXDOMAIN redirects are now just going somewhere else.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Fishy part is - redirects taking place at a high degree, without any web browser open, or redirects. That's a problem, and to me - if I cared about using it I would invest time to find out what is going on. My gut instinct is they are using it for something other than the normal use of NX, possibly to boost revenue by creating NX's where they don't exist? As you can see from the logs, there is a huge amount of background activity when the machine isn't even being used, and no web browsers are loaded.

    Either way, people should know this is happening, and base their decision on using it with all of these considerations.
     

    Attached Files:

  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    So this is in the AM when everyone is in bed sleeping? This is concerning to me. I haven't used Comodo DNS previously but I will do more research if I ever did plan to use it now in light of this. All the more reason to run our own DNS servers, I suppose.
     
  13. cohbraz

    cohbraz Registered Member

    Joined:
    Dec 19, 2012
    Posts:
    26
    Location:
    United States
    What I find strange here - all of those requests happen in a burst every 15 minutes. No more, no less. Check your tasks and see if there is anything on your system that tries to call in/out every 15 minutes.
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Well, this *might* not be "fishy" in the sense that there is something going on that is not yet discovered and understood. However, even vanilla NXDOMAIN redirection/substitution/hijacking is of concern. Especially in contexts where security/privacy is important, and even more so when the DNS provider is causing exposures to additional parties.

    I think it would wise to investigate even if you don't intend to use Comodo DNS servers. Theoretically, you might be seeing NXDOMAIN results because of a misconfiguration, outdated software, even malware that has gone undetected (edit: on YOUR side). You could look for such results even without switching back to Comodo DNS servers, but might find it helpful to switch back temporarily. FWIW, the 92.242.144.50 responses I saw had a TTL of 1 second.
     
    Last edited: Jan 19, 2015
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    What worries me a bit is this was on a fresh VM with almost nothing on it, and a fully updated Win. But yes, and might be worth looking into it. Comodo has not responded to me.
     
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I don't recall the specifics, but I do remember seeing unexpected queries for non-existent hosts from a fresh Windows 7 box and related to WPAD (https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol). Compounded by domain suffix appending. Even after I thought my configuration changes would suffice to eliminate such queries. There was either something non-obvious (to me at least) in there or I had to resort to a brutish way to eliminate them. I think I saw the queries shortly after startup. This may not explain what you are seeing, but I figured I'd mention it. If you are going to bother to examine things, might as well do so during and after boot. Edit: Cold boot and externally, just in case firmware is involved.
     
    Last edited: Jan 19, 2015
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    I did a search for 'Barefruit' over at the Comodo forums and there seems to be a lot of questions about it but no real answers.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    Some interesting details here: http://superuser.com/questions/746231/i-switched-to-comodo-dns-and-i-get-a-local-domain-prompt

    More details here: http://www.dpreview.com/forums/post/41478390


    It appears Comodo DNS has been partnering with Barefruit since at least 2011/2012. But what I don't see anywhere is anything official at all from Comodo, not a word.
     
    Last edited: Jan 19, 2015
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    For what it's worth: OpenDNS doesn't do redirects anymore, though I personally recommend the use of DNSCrypt over standard DNS.
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thank you for this info. I will look into it myself.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    Please update us on your findings as well.
     
Loading...