Menu
Reply
  • 13
  • 0
  • 0
scruffers
Tuning in
1,014 Views
Message 1 of 8
Flag for a moderator

DNS hijacking or what is going on?

Ok, so I started noticing something strange and I'd appreciate if anyone can help shed some light on the matter.

 

Seems everytime Windows connects to somewhere in the background (and windows 10 does that a lot, but that's a story for another time), or I open a browser, or indeed make any sort of dns request, a number of strange connections are made and I can't work out why.

 

For example:

 

 

PS C:\Windows\system32> netstat -bn

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.1.1:49422      157.55.236.63:443      ESTABLISHED
 [Explorer.EXE]
  TCP    192.168.1.1:49628      104.82.235.65:443      CLOSE_WAIT
 [Video.UI.exe]
  TCP    192.168.1.1:49629      62.252.60.219:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49631      62.252.60.219:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49632      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49633      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49634      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49635      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49636      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49637      62.252.60.217:80       CLOSE_WAIT
 [Microsoft.Msn.News.exe]
  TCP    192.168.1.1:49685      146.255.57.229:5222    ESTABLISHED
 [pidgin.exe]
  TCP    192.168.1.1:50086      62.252.60.209:80       TIME_WAIT
  TCP    192.168.1.1:50087      62.252.60.209:80       TIME_WAIT
  TCP    192.168.1.1:50088      92.123.187.87:80       TIME_WAIT

 

 

 

The "out-of-place" addresses' reverse points to customer's connections!?

 

 

PS C:\Windows\system32> nslookup 62.252.60.219
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    cpc3-stme1-3-0-cust219.cdif.cable.ntl.com
Address:  62.252.60.219

PS C:\Windows\system32> nslookup 62.252.60.217
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    cpc3-stme1-3-0-cust217.cdif.cable.ntl.com
Address:  62.252.60.217

PS C:\Windows\system32> nslookup 62.252.60.209
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    cpc3-stme1-3-0-cust209.cdif.cable.ntl.com
Address:  62.252.60.209

 

 

Furthermore, a simple lookup produces unexpected results:

 

 

PS C:\Windows\system32> nslookup google.co.uk
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    google.co.uk
Addresses:  2a00:1450:4009:80b::2003
          62.253.72.173
          62.253.72.182
          62.253.72.168
          62.253.72.162
          62.253.72.187
          62.253.72.158
          62.253.72.177
          62.253.72.157
          62.253.72.163
          62.253.72.148
          62.253.72.167
          62.253.72.183
          62.253.72.178
          62.253.72.153
          62.253.72.172
          62.253.72.152

PS C:\Windows\system32> nslookup 62.253.72.173
Server:  resolver1.opendns.com
Address:  208.67.222.222

Name:    173.72-253-62.static.virginmediabusiness.co.uk
Address:  62.253.72.173
[..]

 

I've scanned my machine with a number of tools, anti malware, rootkit revealers etc. but nothing is reported. I didn't think anything would but anyway...

 

Don't know if it has something to do with it but I looked at the "advanced network error search" page, and it shows I'm opted out. I've tried opting in so I could turn it off again, but I get oops etc.

 

Why is that page hidden and not part of my virgin media in the first place, and why does it look like straight out of the 90's? Moreover, why is it broken? Comes accross as shady at best.

 

 

Any ideas would be appreciated.

 

Also, any feeback from VM on the silly dns hijacker page would be an added bonus.

 

Cheers,

scruff

 

0 Kudos
Reply
  • 9.88K
  • 323
  • 854
legacy1
Hero
997 Views
Message 2 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

VM are doing more CND's and have not updated the DNS recodes the Internet is becoming more like a proxy.Smiley Sad

https://en.wikipedia.org/wiki/Content_delivery_network

  • 13.02K
  • 372
  • 1.06K
Moderator
Moderator
925 Views
Message 3 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Hi scruff,

 

Thanks for posting, though apologies for the problems with the 'advanced network search' feature, I'm not sure why this should be impacting your browsing if you've opted out.

 

I've checked that this has been disabled on your account from this end, hopefully this will do the trick, please let us know if it continues to be problematic.

 

Kind Regards

Ralph_R
Forum Moderator

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


  • 13.65K
  • 720
  • 4.73K
Superuser
Superuser
895 Views
Message 4 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Hi

 

Legacy has got the right answer there, although his wording could have been a little less confusing.

 

Some content providers such as Google have CDN's on various ISP networks.  This allows them to cache regularly used content closer to the user.  DNS lookups are pointed to the local CDN, so for example if you were on TalkTalk, you would get redirected to a CDN on their network instead.

 

While it would be nice of them to set a Reverse DNS lookup to reflect this.  Setting the reverse zone is not mandatory.

 

So it's not DNS hijacking causing this.  Also ANES wouldn't cause this either.  That only kicks in when a DNS lookup fails.  Instead of returning an NXDomain result it redirects to a search page using the URL to do the search.  As you appear to be using OpenDNS, it wouldn't kick in anywayas you must be using the Virgin's DNS servers for ANES to kick in.

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

  • 9.88K
  • 323
  • 854
legacy1
Hero
892 Views
Message 5 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Its not that confusing a PTR look up for examples above show the following:
62.252.60.217
cpc3-stme1-3-0-cust217.cdif.cable.ntl.com
62.252.60.209
cpc3-stme1-3-0-cust209.cdif.cable.ntl.com
62.252.60.219
cpc3-stme1-3-0-cust219.cdif.cable.ntl.com

At some point the subnet was for clients and now for CDN's where it looks like your connecting to a client for the content that DNS points you too and DNS records have not been updated. 

0 Kudos
Reply
  • 13.65K
  • 720
  • 4.73K
Superuser
Superuser
884 Views
Message 6 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Thing is if you look at it this way, it's still for clients.

 

Google are effectively a client of Virgin and anyone alse they have CDN agreements with.  They may get mates rates, due to it being advantageous for both parties, but they still need to lease part of the VM network to host the CDN's.  I'm sure Virgin don't let them have it for free.

 

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 13
  • 0
  • 0
scruffers
Tuning in
849 Views
Message 7 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Although the thought did cross my mind it might be just a matter of the reverse records being out of date, those connections still didn't make sense.

 

Add that to the fact that I'm not using vm's dns servers here only made me further paranoid Smiley Tongue

 

Never had anything like this with any of my prior ISPs, I guess it's a sign of times. Anyways..

 

Thanks to all that replied.

 

Cheers,

scruff

 

0 Kudos
Reply
  • 29
  • 0
  • 2
blanik
Tuning in
401 Views
Message 8 of 8
Flag for a moderator

Re: DNS hijacking or what is going on?

Just spent an hour checking why chrome was sending data to cpc3-stme1-3-0-cust99.cdif.cable.ntl.com [62.252.60.99] which looked like someone's home network, and eventually found this thread. Via another where someone did a traccert for youtube.com and came up with the same ipaddress.

Can Virgin please change the reverse dns names to something clearer for the ip addresses they are using for CDN.

0 Kudos
Reply