Re: DNS error - some sort of clash?
For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.
Downside is then if you ever have DNS issues it's almost certainly your own fault.
Biggest gripe is the modern trend for devices to have hardncoded DNS (Google devices in particular do this a lot,) as not many consumer routers will allow you to capture this and route it to the pi hole anyway.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
So this is a really rare one but I've seen it happen a few times over the years. Type in the name of a common website and get directed to something completely different, but with the same URL. And no, this is not because of a typo, but that would be my first reaction too.
So, any ideas how that would happen? Depending how it happens I imagine it could have some security implications.
Edit: I did post an example but it was due to a typo :stupid: but pretty sure I've had it happen in the past where I've literally just pressed F5 and it's gone to the correct page.
From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.
They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.
If it's not going to a scam page, odds are it's just an outdated DNS server entry.
If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
spacein_vader
For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.
It's only cached until the TTL expires, they it's back to asking up the chain for the address. When you query for a new address without a cache you start at the root servers who tell you where to find e.g. .com, then ask the .com servers where to find google.com, and then ask google.com's DNS where to find drive.google.com. Once .com has been cached you don't need to keep hammering the root servers with lookups, until the TTL expires of course.
Quote:
Originally Posted by
philehidiot
From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.
They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.
If it's not going to a scam page, odds are it's just an outdated DNS server entry.
If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.
On the occasions I've seen it, it definitely wasn't a scam page (or was a hilariously bad attempt if it was) as it was nothing like the original. If anything, it just looked like a domain placeholder page. The weird thing is it did definitely happen a few times, and not all in a short timespan either.
It's not an ARP MITM as it's on a home network.
You see my puzzlement though, I can't quite think of what would have caused it, particularly for it to happen a few times. It's almost like there were conflicting entries on the DNS server and you'd very occasionally get assigned the wrong one. The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
There are a bunch of failure modes that can cause you to be directed to the wrong web page - Most being failures of a human sysadmin or webmaster.
Load balancing http requests is commonplace these days. Whether it's done with a round robin DNS, reverse proxy, hardware or combination the smallest of errors in the configuration can produce the behaviour you are reporting. Errors in Apache redirect scripts are a favourite source of wrong page problems too - The syntax is arcane and debugging is not straightforward.
Forgetting to restart bind/apache/nginx/cgi after an update is probably the one I'm most guilty of ;)
Re: DNS error - some sort of clash?
That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.
Between load balancing and multi hosting that can easily happen.
My home server has several web domains hanging off it just for my own use. If a browser gets to my IP address then the http headers will say which site it actually wants. All goes well, they get the right page. Otherwise they get the default page.
Something as simple as http vs https gets you completely different config to the same site, let alone the same IP address. When one site can be spread across lots of IP addresses, there is plenty to go wrong. And it does :)