DNS ALERT!

Discussion in 'other security issues & news' started by fannymites, Oct 1, 2005.

Thread Status:
Not open for further replies.
  1. fannymites

    fannymites Registered Member

    Joined:
    May 7, 2005
    Posts:
    93
    I have Kerio configured to only allow acess to my providers dns servers.
    Today when I tried to connect I got a dns alert from kerio because everything was trying to connect to 2 different servers.
    I did ip config /all and there are definitely different ones there.
    Could this be some sort of malware doing this and if so what could it achieve by trying to force me to connect to different servers?
    This is only happening on windows, on linux it is still connecting to the regular servers.
     
  2. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Simple answer - if you go to my DNS, I can make your DNS requests resolve to whatever I want to - banking, search.

    However, don't panic yet - a likely case is that your ISP has reorganised things internally - first thing - do you get your DNS servers automatically using DHCP, or do you manually type in the two DNS servers?

    Have you checked the DNS server IP addresses and looked at where they are? Do they belong to your ISP? Similar to your ISPs?

    Finally, some ISP's send you to a "captive portal" if you haven't paid your bill - easily controlled by assigning you a DNS which will only ever resolve to the "Umm, you need to pay your bill dude" page.

    Be interested to know what happens.
     
  3. fannymites

    fannymites Registered Member

    Joined:
    May 7, 2005
    Posts:
    93
    The dns servers are dynamically assigned but does not use dhcp apparently.
    I'm not sure how to find out where the dns servers are coming from, I tried them in firefox address bar and one gave me a page error and the other went here - http://www.btglobalservices.com/business/global/en/index.html
    which is nothing to do with my isp.
    My bill is fully up to date so that's not the cause and I can surf as normal with these new servers.
    I contacted my provider and as I was typing this they have replied and told me that the new dns servers are not theirs.
     
  4. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Bear in mind that many small ISP's are actually just piggybacking on the infrastructure of a larger ISP. I know you say you have called them, but please don't rule out a user issue at the ISP.

    What you should do is see who owns the IP addresses you're getting for your DNS server. Do an IPCONFIG /ALL to see them, then use a WhoIS search to see who owns them.

    My guess is personally that the ISP, or provider has changed something - even if they say they have not. A lot of times their "support" guys just read off a script.


    Mike
     
  5. fannymites

    fannymites Registered Member

    Joined:
    May 7, 2005
    Posts:
    93
    I tried doing a few whois lookups on both the dns servers and they don't appear to belong to anyone. I've deleted all my internet settings and recreated them and so far I'm connecting to the regular dns servers again.
     
Loading...
Thread Status:
Not open for further replies.