[gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Meino.Cramer]

Hi,

the following happens some minutes before:
I was searching on youtube for some reviews...
and suddenly BOOM: "Server not found: Unknow host"

I restarted firefox...which did not help.

I did a ping & traceroute to www.youtube.com from
the commandline...same results...

Wireshark shows the DNS query to my DSL modem...
and the answer was that from above.

I rebooted my Gentoo box...no help...

The problem vanishes as I powercycled my DSL modem.

Any other access was working the whole time.

Was my DSL modem hacked?
Does anyone else noticed a glithc in the matrix?

Best regards,
mcc

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[wabenbau]

Am Dienstag, 10.03.2015 um 19:16
schrieb Meino.Cramer@gmx.de:

> Hi,
> 
> the following happens some minutes before:
> I was searching on youtube for some reviews...
> and suddenly BOOM: "Server not found: Unknow host"
> 
> I restarted firefox...which did not help.
> 
> I did a ping & traceroute to www.youtube.com from
> the commandline...same results...
> 
> Wireshark shows the DNS query to my DSL modem...
> and the answer was that from above.
> 
> I rebooted my Gentoo box...no help...
> 
> The problem vanishes as I powercycled my DSL modem.
> 
> Any other access was working the whole time.
> 
> Was my DSL modem hacked?
> Does anyone else noticed a glithc in the matrix?

I'm using youtube only occasionally and last use was some days ago, so
I don't know if there was something unusual today.

When I do a nslookup www.youtube.com, I get a whole bunch of IP
addresses. Maybe the DNS implementation on your DSL modem only cache
the first one. If this IP then is not reachable for some reason, it
would lead to an "Unknow Host Error" till the TTL of the cached entry is
reached and the modem is doing the next lookup.

But that's just a thought. Maybe your modem really was hacked.

--
Regards
wabe

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[J. Roeleveld]

On 10 March 2015 19:16:12 CET, Meino.Cramer@gmx.de wrote:
>Hi,
>
>the following happens some minutes before:
>I was searching on youtube for some reviews...
>and suddenly BOOM: "Server not found: Unknow host"
>
>I restarted firefox...which did not help.
>
>I did a ping & traceroute to www.youtube.com from
>the commandline...same results...
>
>Wireshark shows the DNS query to my DSL modem...
>and the answer was that from above.
>
>I rebooted my Gentoo box...no help...
>
>The problem vanishes as I powercycled my DSL modem.
>
>Any other access was working the whole time.
>
>Was my DSL modem hacked?
>Does anyone else noticed a glithc in the matrix?
>
>Best regards,
>mcc

Most modems and routers have really bad DNS proxies. I tend to either run my own or use Googles DNS:
8.8.8.8 and 8.8.4.4 

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[bitlord]

On Tue, 10 Mar 2015 19:16:12 +0100
Meino.Cramer@gmx.de wrote:

> Hi,
> 
> the following happens some minutes before:
> I was searching on youtube for some reviews...
> and suddenly BOOM: "Server not found: Unknow host"
> 
> I restarted firefox...which did not help.
> 
> I did a ping & traceroute to www.youtube.com from
> the commandline...same results...
> 
> Wireshark shows the DNS query to my DSL modem...
> and the answer was that from above.
> 
> I rebooted my Gentoo box...no help...
> 
> The problem vanishes as I powercycled my DSL modem.
> 
> Any other access was working the whole time.
> 
> Was my DSL modem hacked?
> Does anyone else noticed a glithc in the matrix?
> 
> Best regards,
> mcc
> 
> 

Today everyone can make a dsl router/modem, and ISPs when they
give you equipment they want it to be cheap. I saw exactly the same
problem on cheap dsl routers, I don't have enough knowledge to debug
it, or to be sure if it is safe or not, it worked for months with no
issues, no reboots ..., one day it stopped working/resolving hosts, and
its dhcp server config doesn't allow "forwarding" of DNS servers from
WAN configuration, or manually setting one which will be given to the
dhcp "clients", so there are two ways, it can work as a proxy (send
its own IP as DNS server to clients), or it doesn't provide DNS, so you
need manually to configure each client.
If you restart the router, it works sometimes for few hours, sometimes
few days, but it will fail again randomly. 
The only worrying thing is that it worked for months without an issue.

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[wabenbau]

Am Dienstag, 10.03.2015 um 19:14
schrieb "J.  Roeleveld" <joost@antarean.org>:

> On 10 March 2015 19:16:12 CET, Meino.Cramer@gmx.de wrote:
> >Hi,
> >
> >the following happens some minutes before:
> >I was searching on youtube for some reviews...
> >and suddenly BOOM: "Server not found: Unknow host"
> >
> >I restarted firefox...which did not help.
> >
> >I did a ping & traceroute to www.youtube.com from
> >the commandline...same results...
> >
> >Wireshark shows the DNS query to my DSL modem...
> >and the answer was that from above.
> >
> >I rebooted my Gentoo box...no help...
> >
> >The problem vanishes as I powercycled my DSL modem.
> >
> >Any other access was working the whole time.
> >
> >Was my DSL modem hacked?
> >Does anyone else noticed a glithc in the matrix?
> >
> >Best regards,
> >mcc
> 
> Most modems and routers have really bad DNS proxies. I tend to either
> run my own or use Googles DNS: 8.8.8.8 and 8.8.4.4 

I don't like the idea that google is getting all information about my
DNS queries. ;-) 

I usually prefer the DNS servers from my ISP as forwarding servers for
my router (which has a proper working DNS proxy). These DNS servers are
just a few hops away and therefore responding very fast.

--
Regards
wabe

[gentoo-user] Re: [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[James]

 <Meino.Cramer <at> gmx.de> writes:
 
> Hi,
> Was my DSL modem hacked?

Quite possibly. There are a myriad of resources on hacking
modems[1]. Also, most modems support performance configurations
via "S registers". Often, vendors leave access to the modem's
"S registers" accessible and error on the side of ease of access.
Others have brain_dead interfaces, just begging to be hacked.

Then there are the wireless ports, usually configured to just "work"
upon reboot with the widest possible range of open configs. Some
"cable modem" ISPs allow you to purchase better quality hardware
and use it, as long as they are given control over the mode. It's
like the wild wild west, still lots of open range.


Furthermore, modems are still a common, bountiful?, injection point
for all sorts of nefarious activities, including governments not local
to your nation.


What we really need is a gentoo project to have a repository of 
gentoo based open source router (and transparent bridges) solutions.
It's a ton of work for one person to stay on top of. Others will suggest
some solutions like  a shorewall fw behind your cable modem. Sorry for
digressing off the dns specific hacking activity you have most likely
stumbled upon. But if you fix that, and hackers like your node, they'll
just migrate to other layers and parts of the stack.....

On dns security issues, I'd speak with your local ISP in addition to
discovering where your system(s) are resolving off of. Bad routing 
tables and routing instability are constant problems on the wider net.
Your (ISP) router jocks may be understaffed, or just plain lazy.....

There are a myriad of 'third party' solutions to quality/secure dns
services, but, that is the responsibility of your ISP, usually.

net-dns/bind-tools  contains an excellent tool call "dig".
Google for syntax examples......


hth,
James


[1] ISBN-13: 978-1593271015 ISBN-10: 1593271018 

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Walter Dnes]

On Tue, Mar 10, 2015 at 07:16:12PM +0100, Meino.Cramer@gmx.de wrote
> Hi,
> 
> the following happens some minutes before:
> I was searching on youtube for some reviews...
> and suddenly BOOM: "Server not found: Unknow host"
> 
> I restarted firefox...which did not help.
> 
> I did a ping & traceroute to www.youtube.com from
> the commandline...same results...
> 
> Wireshark shows the DNS query to my DSL modem...
> and the answer was that from above.
> 
> I rebooted my Gentoo box...no help...
> 
> The problem vanishes as I powercycled my DSL modem.
> 
> Any other access was working the whole time.
> 
> Was my DSL modem hacked?
> Does anyone else noticed a glithc in the matrix?

  I've seen similar problems with Youtube.  Switching the DNS servers in
/etc/resolv.conf seems to fix the problem every time.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Justin Findlay]

On 03/10/2015 01:35 PM, wabenbau@gmail.com wrote:
>> Most modems and routers have really bad DNS proxies. I tend to either
>> run my own or use Googles DNS: 8.8.8.8 and 8.8.4.4 
> 
> I don't like the idea that google is getting all information about my
> DNS queries. ;-) 

If you need a temporary public resolver and you don't want to send more
info to google, you can use these public resolvers from Level 3:

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4

You should normally use and know the DNS servers provided by the most
local networks you're in.  If any of these are untrustworthy or
problematic, 4.2.2.2 should work well enough to get online to sort it out.

Here is an interesting intro to the subject (be sure to also read the
comments):

http://www.circleid.com/posts/20110407_top_public_dns_resolvers_compared/


Justin

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Peter Humphrey]

On Tuesday 10 March 2015 19:16:12 Meino.Cramer@gmx.de wrote:

> I rebooted my Gentoo box...no help...
> 
> The problem vanishes as I powercycled my DSL modem.
> 
> Any other access was working the whole time.
> 
> Was my DSL modem hacked?
> Does anyone else noticed a glithc in the matrix?

I think DSL modems must run Windows - they seem to need rebooting every 
now and then. I had to do so last week when various lookups failed, or 
needed several attempts.

-- 
Rgds
Peter.

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 829 bytes --]

The second argument to both host and nslookup, specifies the server to use
for the lookup. So, you can compare the results of the DNS server specified
in /etc/resolv.conf, with others like those mentioned above, eg
host youtube.com 8.8.8.8
or
nslookup youtube.com 4.2.2.4

However, youtube.com will no doubt be using global server load balancing,
which means the DNS response will be based on the source IP address of the
DNS request, so you can be directed to the closest youtube.com server(s).

So, since you cant be sure the DNS results will be consistent across DNS
servers, you can't use that to determine if you're being MITM'd. Mind you I
don't think a non-targetted MITM would bother with someone's youtube
traffic, but if your concerned about that just connect to youtube with
https, so the certificate can be verified.

[-- Attachment #2: Type: text/html, Size: 1245 bytes --]

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[Stroller]

On Tue, 10 March 2015, at 6:16 pm, meino.cramer@gmx.de wrote:
> ...
> The problem vanishes as I powercycled my DSL modem.
> 
> Was my DSL modem hacked?

I think it's far more likely the router ran out of memory, a process hung or something. 

Perhaps other sites worked because they were cached.

There's no way to debug it now, and replies can only be speculation.

If it becomes a regular problem, I suggest you install OpenWRT, which will give you the tools you need for debugging it.

Stroller.

Re: [gentoo-user] [OT] Mysterious vanishing of DNS entry of www.youtube.com...was I hacked?

[wabenbau]

Am Dienstag, 10.03.2015 um 18:10
schrieb Justin Findlay <jfindlay@gmail.com>:

> On 03/10/2015 01:35 PM, wabenbau@gmail.com wrote:
> >> Most modems and routers have really bad DNS proxies. I tend to
> >> either run my own or use Googles DNS: 8.8.8.8 and 8.8.4.4 
> > 
> > I don't like the idea that google is getting all information about
> > my DNS queries. ;-) 
> 
> If you need a temporary public resolver and you don't want to send
> more info to google, you can use these public resolvers from Level 3:
> 
> 4.2.2.1
> 4.2.2.2
> 4.2.2.3
> 4.2.2.4
> 
> You should normally use and know the DNS servers provided by the most
> local networks you're in.  If any of these are untrustworthy or
> problematic, 4.2.2.2 should work well enough to get online to sort it
> out.
> 
> Here is an interesting intro to the subject (be sure to also read the
> comments):
> 
> http://www.circleid.com/posts/20110407_top_public_dns_resolvers_compared/
> 
> 
> Justin

THX for the info. I will take a look at it.

--
Regards
wabe