3 min read

ISP and DNS Injection

June 17, 2020

A case of non-existent DNS entries coming to life

blah.blah exists?

$ ping -c2 blah.blah
PING blah.blah (23.202.231.169) 56(84) bytes of data.
64 bytes from a23-202-231-169.deploy.static.akamaitechnologies.com (23.202.231.169): icmp_seq=1 ttl=53 time=71.5 ms

I ran the above command on a whim on my new raspberry pi and was surprised by the result. That DNS entry does not exist. And neither does the tld. WTF?

What about fhdskfsdafs.google.com ?

Let’s try this fhdskfsdafs.google.com

$ ping -c2 fhdskfsdafs.google.com
PING fhdskfsdafs.google.com (23.217.138.110) 56(84) bytes of data.
64 bytes from a23-217-138-110.deploy.static.akamaitechnologies.com (23.217.138.110): icmp_seq=1 ttl=58 time=6.94 ms

Huh? Akamai?

Ok something is up! And why do I see akamai in there. I am sure Google has its own network. I fire up the browser on my macbook and I get Server Not Found; which is expected.

Name Servers

So what’s the difference between the pi and the macbook. Macbook is set to use 8.8.8.8 as the nameserver (set manually a long time ago) while the pi defaults to the home router which is a box provided by my ISP. I did change ISPs about a year ago.

Here are a couple of runs with specific name servers.

192.168.1.254 is the ISP box.

$ nslookup blah.blah 192.168.1.254
Server:		192.168.1.254
Address:	192.168.1.254#53

Non-authoritative answer:
Name:	blah.blah
Address: 23.202.231.169
Name:	blah.blah
Address: 23.217.138.110


$ nslookup blah.blah 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find blah.blah: NXDOMAIN

Seriously?

I remove the custom name servers from my macbook and load these non-existent pages. Guess what they load just fine and look like a scam page from the 90s. Note the missing encryption.

My initial thought - my ISP’s DNS is messed up, which is pretty bad. But no, this is worse. This was done intentionally. Look at the branding on that page. That’s right I am with AT&T (the only ones offering 1Gbps in San Jose, California)

I am not alone

Some googling for dns error assist brings me to https://gist.github.com/CollinChaffin/24f6c9652efb3d6d5ef2f5502720ef00

Wow! Thank you Colin

I went through the steps and was able to opt-out of the service.

Conclusion

I also tried to update the Name Servers used by the ISP’s router. Turns out you can’t! Ofcourse I can manually set the name servers on all the devices in the house; it gets tiring. Going forward; I need to get my own router and use the ISP modem in “dumb” mode.

Before I wrap up, here’s what curl would look like for these domains

$ curl -I http://blah.blah
HTTP/1.1 200 OK
Date: Thu, 18 Jun 2020 06:01:41 GMT
Connection: close

# atleast 443 gets a connection refused
$ curl -I https://blah.blah
curl: (7) Failed to connect to blah.blah port 443: Connection refused

Frankly, I am appalled at this; but not surprised at the same time. But thankfully HTTPs is becoming very common. And hopefully DNSSEC will be everywhere one day.