1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Have I been DNS Hijacked?

Discussion in 'Networks & Internet Connectivity' started by Virdi, Feb 24, 2018.

  1. Virdi

    Mobster

    Joined: Jun 11, 2004

    Posts: 4,119

    Location: Middlesex, London

    Hi all,

    I noticed a couple of websites like eBay were not loading properly ....upon further checking I logged into my ASUS router and noticed that my WAN DNS ip was:

    185.117.75.242

    I have never noticed this and my ISP is Plusnet.

    ....so the obvious question is ....am I in trouble?

    Thx
     
  2. randal

    Capodecina

    Joined: Oct 1, 2006

    Posts: 11,955

    Well Plusnet's DNS servers are:

    Primary 212.159.13.49
    Secondary 212.159.13.50

    https://www.plus.net/help/broadband/about-dns-server-and-website-settings/

    And that IP is in a Dutch IP block, registered in the Arab Emirates.

    https://ipinfo.io/AS60117/185.117.75.0/24

    It belongs to a VPS hosting company called Host Sailor. So I suspect someone has configured a rogue DNS server on a VPS, taken full advantage of Asus's terrible router security and updated your settings to point there.

    In short, get a better router. :)
     
  3. Virdi

    Mobster

    Joined: Jun 11, 2004

    Posts: 4,119

    Location: Middlesex, London

    Many thanks
     
  4. willhub

    Capodecina

    Joined: Jan 3, 2006

    Posts: 20,088

    Location: MediaCityUK

    What are the potential consequences of getting DNS jacked?

    And why would some random from the UAE want to direct Virdi from the south and his router to a dutch hosting company?
     
  5. randal

    Capodecina

    Joined: Oct 1, 2006

    Posts: 11,955

    Scenario: I'm going to "thissiteItrust.com", and the hijacked DNS server directs Virdi's machine to a copy of the site full of malicious junk and things. It can also be used to inject ads into everything he browses, as well as a slew of other undesirable actions.

    Compromise DNS, and you can do a lot of damage.

    I doubt he was target specifically, probably just a bot crawling home IP ranges attempting to find vulnerable routers. Once found, it probably then hands the IP/user/pass to another bot to do with what it wants.
     
  6. Steampunk

    Soldato

    Joined: Jun 1, 2013

    Posts: 5,318

    It means any request to any website that requires a DNS look up can be redirected. You can use it to direct traffic for advertising hits, or to a malicious website to perform a man-in-the-middle for things like stealing bank details. Any sensible web browser or network anti-virus should flag up https certificate failures, if you're using https.

    Depending which Asus router the OP has, he should look at installing a Merlin firmware or fork for added security.
     
  7. willhub

    Capodecina

    Joined: Jan 3, 2006

    Posts: 20,088

    Location: MediaCityUK

    Blimey, never thought of checking it, will check to see if my BT router is ok.