DNS error - some sort of clash?
So this is a really rare one but I've seen it happen a few times over the years. Type in the name of a common website and get directed to something completely different, but with the same URL. And no, this is not because of a typo, but that would be my first reaction too.
So, any ideas how that would happen? Depending how it happens I imagine it could have some security implications.
Edit: I did post an example but it was due to a typo :stupid: but pretty sure I've had it happen in the past where I've literally just pressed F5 and it's gone to the correct page.
Re: DNS error - some sort of clash?
It can just be stale DNS or config entries as the internet adjusts to some poorly implemented config change. Web servers can serve lots of websites, and someone having a moment with a config file can send you to the wrong one.
Probably wouldn't happen to you, but the thing to look out for is malware redirecting you. I've seen machines that implement all sorts of dns redirection and url skimming to eg point you at ads they make revenue from. Last machine I saw like that I just booted from a Linux DVD (because that sucker is read only) to wipe the disk and start again. Damned machine was like something from the exorcist :D
Re: DNS error - some sort of clash?
Yeah I've seen it happen on the "can you have a look at my laptop please" systems which are obviously malware redirects, but this is something different I've seen. It is extremely rare though.
It didn't actually happen this time of course, it just reminded me. Come to think of it I've not seen it happen for years now.
It wasn't even a case of being sent a completely different page, rather the 'wrong' page even had the same title. I'll give you one example from many years ago, and it happened multiple times so stuck in my mind. I was aiming for runescape.com (don't judge me, it was a long time ago) and ended up on a website called run escape. I can only guess there used to be a website called 'run escape' and the URL was purchased for Runescape and somehow I was being served that page.
Re: DNS error - some sort of clash?
I had this a while back when I was still on ADSL, I forget who the provider was at the time.
Who's DNS server are you using?
I've actively been moving away from Google, I don't like that the default DNS on my ASUS router is Googles
I've been experimenting with a couple of Malware blocking DNS servers:
https://en.wikipedia.org/wiki/1.1.1.1
When my health is restored I'm aiming to build my own DNS server
Re: DNS error - some sort of clash?
It can be ISP controlled too. One of the annoyances I found out about my recent provider is they don't allow users to chose a DNS server, I have to use the ISP's.
Re: DNS error - some sort of clash?
It was most likely Virgin's own resolvers. I have flicked between a few DNS providers over the years but Virgin's are generally fine (and fast) as long as you disable the silly redirects for typos. You also get the benefit of getting generally optimal routing to closer CDNs which third-party DNS can sometimes break.
@Kalniel: Is that one of the major providers? Seems like an odd requirement.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
It was most likely Virgin's own resolvers. I have flicked between a few DNS providers over the years but Virgin's are generally fine (and fast) as long as you disable the silly redirects for typos. You also get the benefit of getting generally optimal routing to closer CDNs which third-party DNS can sometimes break.
@Kalniel: Is that one of the major providers? Seems like an odd requirement.
It's Virgin in fact - you can set anything you like and it'll still route through their DNS servers.
Re: DNS error - some sort of clash?
How do you mean, because that's not the case for me? If I set 1.1.1.1 or 8.8.8.8, that's what I get. I even get markedly different results, hence my comment about the CDNs.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
How do you mean, because that's not the case for me? If I set 1.1.1.1 or 8.8.8.8, that's what I get. I even get markedly different results, hence my comment about the CDNs.
I'm probably mistaken then! Do you manage to avoid Virgin DNS appearing at all on an extended dnsleak test? https://www.dnsleaktest.com/
Re: DNS error - some sort of clash?
If I set 1.1.1.1 it just shows Cloudflare? I did take a screenshot but Imgur complaining about being overloaded or something.
Re: DNS error - some sort of clash?
I believe you :) I'm clearly mistaken.
Re: DNS error - some sort of clash?
Were you setting it through DHCP or directly on the computers?
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
Were you setting it through DHCP or directly on the computers?
Via window's network adaptor settings, which I am absolutely not an expert on. What's the proper way?
Re: DNS error - some sort of clash?
That should be it. DHCP should be fine too but I wondered if VM's router might be interfering with that somehow, but I don't think it even allows you to change in on their own router, come to think of it.
Under IPv4 properties, just put the IPs for your preferred primary and secondary DNS servers. That should be respected and a quick way to test is on a command prompt; type nslookup, then see what it says about the default server. You can then type domain names to see how the server responds.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
DanceswithUnix
I just booted from a Linux DVD (because that sucker is read only)
Takes me back around 10 years ago when I was doing support for the UK office of an antivirus company. I spent about 90 minutes on the phone to a guy who, having had a minor adware/scareware infection, reformatted but was convinced that it had infiltrated his read-only Windows installation CD's/DVD's. It was the most frustrating and mentally exhausting 90 minutes of my (18 years and counting) IT career, trying to reason with someone who thought they were quite knowledgeable and wouldn't listen to a word I said. I vowed from that day to never take another job dealing with Joe Public.
Also, watercooled, unless I'm missing something, wouldn't it better still to configure these DNS servers on your router? I'm also with VM and use Cloudflare's DNS servers (1.1.1.1 and 1.0.0.1) - though admittedly I only use the VM router in bridge/modem mode, as I use my own Asus router.
Ah, soz. As I type this, just noticed you say it's not possible to change DNS servers on VM's router. Makes sense.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
kalniel
I believe you :) I'm clearly mistaken.
AIUI with Virgin you could both be right, as it is still a mess of small companies that were bought up by NTL over a period of years and never fully integrated into a coherent single system. So in a different town, different rules could apply.
Re: DNS error - some sort of clash?
For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.
Downside is then if you ever have DNS issues it's almost certainly your own fault.
Biggest gripe is the modern trend for devices to have hardncoded DNS (Google devices in particular do this a lot,) as not many consumer routers will allow you to capture this and route it to the pi hole anyway.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
So this is a really rare one but I've seen it happen a few times over the years. Type in the name of a common website and get directed to something completely different, but with the same URL. And no, this is not because of a typo, but that would be my first reaction too.
So, any ideas how that would happen? Depending how it happens I imagine it could have some security implications.
Edit: I did post an example but it was due to a typo :stupid: but pretty sure I've had it happen in the past where I've literally just pressed F5 and it's gone to the correct page.
From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.
They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.
If it's not going to a scam page, odds are it's just an outdated DNS server entry.
If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
spacein_vader
For those needy enough to use a Pi Hole for ad blocking it's also fairly straightforward to set it up to act as DNS and only query one of the 8 (IIRC) authoritive DNS servers for a new address. Means that the first time you visit a new site its slightly slower but after that it's cached.
It's only cached until the TTL expires, they it's back to asking up the chain for the address. When you query for a new address without a cache you start at the root servers who tell you where to find e.g. .com, then ask the .com servers where to find google.com, and then ask google.com's DNS where to find drive.google.com. Once .com has been cached you don't need to keep hammering the root servers with lookups, until the TTL expires of course.
Quote:
Originally Posted by
philehidiot
From a security perspective this could caused by someone doing a man in the middle attack and then DNS spoofing. There are plenty of tools for this. If it were a DNS spoofing attack, it wouldn't go away with refreshing the page.
They'd normally do this by ARP poisoning to be the MITM and then setting up a tool to swap out the IP addresses. Normally they'd redirect you to a website that looked the same as your intended one. Unless they are some little prick sat in Starbucks with a honeypot and is just screwing with everyone by sending them to random websites.
If it's not going to a scam page, odds are it's just an outdated DNS server entry.
If you see it and you're worried about a MITM attack, you can either check the ARP tables manually (dull) or use a tool called XARP which works on Linux and Windows and will alert to poisoned ARP tables.
On the occasions I've seen it, it definitely wasn't a scam page (or was a hilariously bad attempt if it was) as it was nothing like the original. If anything, it just looked like a domain placeholder page. The weird thing is it did definitely happen a few times, and not all in a short timespan either.
It's not an ARP MITM as it's on a home network.
You see my puzzlement though, I can't quite think of what would have caused it, particularly for it to happen a few times. It's almost like there were conflicting entries on the DNS server and you'd very occasionally get assigned the wrong one. The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
The fact the 'wrong' page had the title it did, makes me wonder if it was whatever used the domain name beforehand, and somehow it hadn't been flushed out of the system properly. Really not sure how, but you can see what I mean.
There are a bunch of failure modes that can cause you to be directed to the wrong web page - Most being failures of a human sysadmin or webmaster.
Load balancing http requests is commonplace these days. Whether it's done with a round robin DNS, reverse proxy, hardware or combination the smallest of errors in the configuration can produce the behaviour you are reporting. Errors in Apache redirect scripts are a favourite source of wrong page problems too - The syntax is arcane and debugging is not straightforward.
Forgetting to restart bind/apache/nginx/cgi after an update is probably the one I'm most guilty of ;)
Re: DNS error - some sort of clash?
That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.
Re: DNS error - some sort of clash?
Quote:
Originally Posted by
watercooled
That would still require another page with the same name to exist though, which really shouldn't be the case. If I attempted to go to website1.com and ended up on website2.com, or even being served the wrong page within the site, I'd kinda get it.
Between load balancing and multi hosting that can easily happen.
My home server has several web domains hanging off it just for my own use. If a browser gets to my IP address then the http headers will say which site it actually wants. All goes well, they get the right page. Otherwise they get the default page.
Something as simple as http vs https gets you completely different config to the same site, let alone the same IP address. When one site can be spread across lots of IP addresses, there is plenty to go wrong. And it does :)