[Netalyzr] DNS redirected to third-part​y servers: www.google​.com

Maciej Soltysiak maciej at soltysiak.com
Thu Jun 14 12:40:57 PDT 2012 

Hi Jim,

My router is latest cerowrt-3.3.8-3, installed about an hour after it hit
the ftp site.
I doubt it could got infected so fast.

Anyway, when I initially directly asked 8.8.8.8 for www.google.com it never
responded with the 42.x.y.z addresses, but some other ones.  Now, after
some time, it does as well, so I'm feeling calm now.

Thanks,
Maciej



On Thu, Jun 14, 2012 at 9:33 PM, Jim Gettys <jg at freedesktop.org> wrote:

> On 06/14/2012 02:32 PM, Nicholas Weaver wrote:
> > I think this may be a false positive:
> >
> > The systems respond like standard Google servers, both in normal
> communication and in errors (previous situations where this occured had the
> servers respond differently to errors than legitimate Google servers).  So
> it could be Google has added some new servers in Poland, but not updated
> the reverse DNS.  I will contact a friend at google to confirm...
>
> DNSchanger?  Remember, that malware attacks your home router as well as
> your hosts....
>                     - Jim
>
> >
> > However, if you want to be extra sure, you can switch to Google Public
> DNS (8.8.8.8 and 8.8.4.4
> >
> >
> > On Jun 14, 2012, at 11:26 AM, Maciej Soltysiak wrote:
> >
> >> Hi,
> >>
> >> My netalyzr runs recently start to show that my ISP redirects
> www.google.com to 3rd party.
> >> I would like to make sure it's me or my ISP and not something changed
> in google CDN or Netalyzr so could anyone else verify if you are getting
> similar results, please?
> >> My run is here:
> >>
> http://n1.netalyzr.icsi.berkeley.edu/summary/id=43ca253f-21386-3947730d-5148-4bce-9140#DNSLookup
> >>
> >> The IPs that get resolved are:
> >> 46.28.247.113
> >> 46.28.247.118
> >>
> >> Possible reasons:
> >> - DNS issues on my home router, which has a bit experimental software
> (cerowrt from bufferbloat.net), but it didn't show before on same
> firmware.
> >> - Ongoing cache poisoning attack. My ISP DNS is 62.21.99.95
> >> - this might be if google is using another pool for CDN then it's a
> false positive. -- I'm located in Poznan, Poland, (Europe)
> >>
> >> Best regards,
> >> Maciej Soltysiak
> >>
> >> _______________________________________________
> >> Netalyzr mailing list
> >> Netalyzr at mailman.ICSI.Berkeley.EDU
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
> >
> > _______________________________________________
> > Netalyzr mailing list
> > Netalyzr at mailman.ICSI.Berkeley.EDU
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/netalyzr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/netalyzr/attachments/20120614/64b87aa6/attachment.html

More information about the Netalyzr mailing list