Page 2 of 2 FirstFirst 12
Results 17 to 22 of 22

Thread: DNS error - some sort of clash?

  1. #17
    Senior Member spacein_vader's Avatar
    Join Date
    Sep 2014
    Location
    Darkest Northamptonshire
    Posts
    1,741
    Thanks
    91
    Thanked
    526 times in 319 posts
    • spacein_vader's system
      • Motherboard:
      • Asus B85M-G
      • CPU:
      • i5 4460 3.2GHz
      • Memory:
      • 4x4GB Crucial DDR3 1600
      • Storage:
      • 256GB Crucial MX100, 500GB Crucial MX100, 1TB Crucial MX200
      • Graphics card(s):
      • Asus RX 480 Dual OC 4GB
      • PSU:
      • Corsair HX 520W modular
      • Case:
      • Fractal Design Meshify C
      • Operating System:
      • Pop!_OS 19:10 / Windows 10 Pro
      • Monitor(s):
      • BenQ GW2765, Dell Ultrasharp U2412
      • Internet:
      • Zen Internet

    Re: DNS error - some sort of clash?

    For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.

    Downside is then if you ever have DNS issues it's almost certainly your own fault.

    Biggest gripe is the modern trend for devices to have hardncoded DNS (Google devices in particular do this a lot,) as not many consumer routers will allow you to capture this and route it to the pi hole anyway.

  2. #18
    Long member
    Join Date
    Apr 2008
    Posts
    2,058
    Thanks
    65
    Thanked
    353 times in 252 posts
    • philehidiot's system
      • Motherboard:
      • Father's bored
      • CPU:
      • Cockroach brain V0.1
      • Memory:
      • Innebriated, unwritten
      • Storage:
      • Big Yellow Self Storage
      • Graphics card(s):
      • Semi chewed Crayola Mega Pack
      • PSU:
      • 20KW single phase direct grid supply
      • Case:
      • Closed, Open, Cold
      • Operating System:
      • Cockroach
      • Monitor(s):
      • The mental health nurses
      • Internet:
      • Please.

    Re: DNS error - some sort of clash?

    Quote Originally Posted by watercooled View Post
    So this is a really rare one but I've seen it happen a few times over the years. Type in the name of a common website and get directed to something completely different, but with the same URL. And no, this is not because of a typo, but that would be my first reaction too.

    So, any ideas how that would happen? Depending how it happens I imagine it could have some security implications.

    Edit: I did post an example but it was due to a typo but pretty sure I've had it happen in the past where I've literally just pressed F5 and it's gone to the correct page.
    From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.

    They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.

    If it's not going to a scam page, odds are it's just an outdated DNS server entry.

    If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.

  3. #19
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,275
    Thanks
    1,526
    Thanked
    988 times in 847 posts

    Re: DNS error - some sort of clash?

    Quote Originally Posted by spacein_vader View Post
    For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.
    It's only cached until the TTL expires, they it's back to asking up the chain for the address. When you query for a new address without a cache you start at the root servers who tell you where to find e.g. .com, then ask the .com servers where to find google.com, and then ask google.com's DNS where to find drive.google.com. Once .com has been cached you don't need to keep hammering the root servers with lookups, until the TTL expires of course.

    Quote Originally Posted by philehidiot View Post
    From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.

    They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.

    If it's not going to a scam page, odds are it's just an outdated DNS server entry.

    If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.
    On the occasions I've seen it, it definitely wasn't a scam page (or was a hilariously bad attempt if it was) as it was nothing like the original. If anything, it just looked like a domain placeholder page. The weird thing is it did definitely happen a few times, and not all in a short timespan either.

    It's not an ARP MITM as it's on a home network.

    You see my puzzlement though, I can't quite think of what would have caused it, particularly for it to happen a few times. It's almost like there were conflicting entries on the DNS server and you'd very occasionally get assigned the wrong one. The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
    Last edited by watercooled; 14-01-2021 at 08:54 PM.

  4. #20
    Senior Member
    Join Date
    Jul 2012
    Location
    By the sea
    Posts
    281
    Thanks
    21
    Thanked
    101 times in 64 posts
    • matts-uk's system
      • Motherboard:
      • Apple iMac
      • CPU:
      • Core i7 3.4Ghz
      • Memory:
      • 12GB DDR3
      • Storage:
      • RAID5 on the twin Xeon server I keep in the airing cupboard
      • Graphics card(s):
      • ATI 7970M
      • Case:
      • A lurvely slimline, all in one aluminium number.
      • Operating System:
      • OSX, Centos, Windows.
      • Monitor(s):
      • 27" LED (Apple), 24" LED (Apple), 2 x 20" TFT Dell
      • Internet:
      • ADSL rubbish

    Re: DNS error - some sort of clash?

    Quote Originally Posted by watercooled View Post
    The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
    There are a bunch of failure modes that can cause you to be directed to the wrong web page - Most being failures of a human sysadmin or webmaster.

    Load balancing http requests is commonplace these days. Whether it's done with a round robin DNS, reverse proxy, hardware or combination the smallest of errors in the configuration can produce the behaviour you are reporting. Errors in Apache redirect scripts are a favourite source of wrong page problems too - The syntax is arcane and debugging is not straightforward.

    Forgetting to restart bind/apache/nginx/cgi after an update is probably the one I'm most guilty of

  5. #21
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,275
    Thanks
    1,526
    Thanked
    988 times in 847 posts

    Re: DNS error - some sort of clash?

    That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.

  6. #22
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    11,655
    Thanks
    643
    Thanked
    1,292 times in 1,097 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 3700X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 1TB Linux, 1TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 33 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 80Mb/20Mb VDSL

    Re: DNS error - some sort of clash?

    Quote Originally Posted by watercooled View Post
    That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.
    Between load balancing and multi hosting that can easily happen.

    My home server has several web domains hanging off it just for my own use. If a browser gets to my IP address then the http headers will say which site it actually wants. All goes well, they get the right page. Otherwise they get the default page.

    Something as simple as http vs https gets you completely different config to the same site, let alone the same IP address. When one site can be spread across lots of IP addresses, there is plenty to go wrong. And it does

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •