http://www.dslreports.com/forum/Cant-confirm-the-transparent-DNS-hijacking-22523200 en Sat, 11 Feb 2012 12:06:15 EDT Sat, 11 Feb 2012 12:06:15 EDT http://www.dslreports.com/forum/Tried-on-OOL-Boost-wOpenDNS-WRT54G-22526419
Major Abnormalities

* We received unexpected and possibly dangerous results when looking up important names

Minor Aberrations

* Your DNS resolver returns results even when no such server exists

Address-based Tests

NAT detection: NAT Detected

Your global IP address is xxx.xxx.xxx.xxx while your local one is 192.168.2.122. You are behind a NAT. Your local address is in unroutable address space.

Your NAT renumbers TCP source ports sequentially. The following graph shows connection attempts on the X-axis and their corresponding source ports on the Y-axis.

port sequence plot

DNS-based host information: OK
You are not a Tor exit node for HTTP traffic.
You are listed on the Spamhaus Policy Based Blacklist, meaning that your provider has designated your address block as one that should not be sending any email.
The SORBS DUHL believes you are using a dynamically assigned IP address.
Reachability Tests

General connectivity: OK
Basic UDP access is available.
Direct UDP access to remote DNS servers (port 53) is allowed.
The applet was also able to directly request a large DNS response.
Direct UDP access to remote MSSQL servers (port 1434) is allowed.
Direct TCP access to remote FTP servers (port 21) is allowed.
Direct TCP access to remote SSH servers (port 22) is allowed.
Direct TCP access to remote SMTP servers (port 25) is prohibited.
This means you cannot send email via SMTP to arbitrary mail servers. Such blocking is a common countermeasure against malware abusing infected machines for generating spam. Your ISP likely provides a specific mail server that is permitted. Also, webmail services remain unaffected.
Direct TCP access to remote DNS servers (port 53) is allowed.
Direct TCP access to remote HTTP servers (port 80) is allowed.
Direct TCP access to remote POP servers (port 110) is allowed.
Direct TCP access to remote RPC servers (port 135) is allowed.
Direct TCP access to remote NetBIOS servers (port 139) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote IMAP servers (port 143) is allowed.
Direct TCP access to remote SNMP servers (port 161) is allowed.
Direct TCP access to remote HTTPS servers (port 443) is allowed.
Direct TCP access to remote SMB servers (port 445) is blocked.
This is probably for security reasons, as this protocol is generally not designed for use outside the local network.
Direct TCP access to remote SMTP/SSL servers (port 465) is allowed.
Direct TCP access to remote secure IMAP servers (port 585) is allowed.
Direct TCP access to remote authenticated SMTP servers (port 587) is allowed.
Direct TCP access to remote IMAP/SSL servers (port 993) is allowed.
Direct TCP access to remote POP/SSL servers (port 995) is allowed.
Direct TCP access to remote SIP servers (port 5060) is allowed.
Direct TCP access to remote BitTorrent servers (port 6881) is allowed.
Network Access Link Properties

Network latency measurements: Latency: 16ms Loss: 0.0%
The round-trip time (RTT) between your computer and our server is 16 msec, which is good.
We recorded no packet loss between your system and our server.

TCP connection setup latency: 19ms
The time it takes your computer to set up a TCP connection with our server is 19 msec, which is good.

Network bandwidth measurements: Upload 5.2 Mbit/sec, Download >20 Mbit/sec
Your Uplink: We measured your uplink's sending bandwidth at 5.2 Mbit/sec. This level of bandwidth works well for many users.
During this test, the applet observed 4 reordered packets.
Your Downlink: We measured your downlink's receiving bandwidth at >20 Mbit/sec. This level of bandwidth works well for many users.

Network buffer measurements: Uplink 340 ms, Downlink is good
We estimate your uplink as having 340 msec of buffering. This level may serve well for maximizing speed while minimizing the impact of large transfers on other traffic.
We were not able to produce enough traffic to load the downlink buffer, or the downlink buffer is particularly small. You probably have excellent behavior when downloading files and attempting to do other tasks.
HTTP Tests

Address-based HTTP proxy detection: OK
There is no explicit sign of HTTP proxy use based on IP address.

Header-based HTTP proxy detection: OK
No HTTP header or content changes hint at the presence of a proxy.

HTTP proxy detection via malformed requests: OK
Deliberately malformed HTTP requests arrive at our server unchanged. We are not able to detect a proxy along the path to our server using this method.

Filetype-based filtering: OK
We did not detect file-content filtering.

JavaScript-based tests: OK
The applet was not run from within a frame.
Your web browser reports the following cookies for our web page:

* netAlizEd (set by our server)

Your web browser was unable to fetch an image using IPv6.

HTTP caching behavior: OK
There is no suggestion that a transparent HTTP cache exists in your network.
DNS Tests

Restricted domain DNS lookup: OK
We are able to successfully lookup a name which resolves to the same IP address as our webserver. This means we are able to conduct many of the tests on your DNS server.

Unrestricted domain DNS lookup: OK
We are able to successfully lookup arbitrary names from within the Java applet. This means we are able to conduct all test on your DNS server.

DNS resolver address: OK
The IP address of your ISP's DNS Resolver is 208.67.217.8, which resolves to bld3.nyc.opendns.com.

DNS resolver properties: Lookup latency: 360ms
Your ISP's DNS resolver requires 360 msec to conduct an external lookup, and 170 msec to lookup an item in the cache.
Your resolver is using QTYPE=A for default queries.
Your resolver also performs IPv6 queries in addition to IPv4 queries.
Your DNS resolver does not use EDNS.
Your resolver does not use 0x20 randomization, but will pass names in a case-sensitive manner.
Your ISP's DNS resolver respects a TTL of 0 seconds.
Your ISP's DNS resolver respects a TTL of 1 seconds.

DNS glue policy: OK
Your ISP's DNS resolver accepts generic glue records located in subdomains of the queried domain.
Your ISP's DNS resolver accepts additional (glue) records for nameservers located in subdomains of the queried domain.
Your ISP's DNS resolver follows CNAMEs when it is in the same domain.

DNS resolver port randomization: OK
Your ISP's DNS resolver properly randomizes its local port number.
The following graph shows DNS requests on the x-axis and the detected source ports on the y-axis.

port sequence plot

DNS lookups of popular domains: Warning
You appear to be using OpenDNS as your DNS resolver. One known issue with OpenDNS is that, by default, OpenDNS acts as a Man-in-the-Middle for some servers, returning the address of one of their servers that acts as an intermediary, rather than the final result. This can both slow down searches and may break other functionality. As a result, 1 lookup appears to be anomalous.
Name IP Address Reverse Name/SOA
www.google.com 208.67.217.231 google.navigation.opendns.com
74 of 74 popular names were resolved successfully. Show all names.
In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups.
Name IP Address Reverse Name/SOA
www.abbey.co.uk 165.160.13.20 X (pdns1.cscdns.net)
ad.doubleclick.net 216.73.86.152 annymegaadvip2.doubleclick.net
www.alliance-leicester.co.uk 194.130.105.121 X (alice.ioko365.com)
www.amazon.com 72.21.210.250 210-250.amazon.com
www.ameritrade.com 204.58.27.113 beta-new.tdameritrade.com
www.bankofamerica.com 171.161.161.173 www.bankofamerica.com
www.bankofscotland.co.uk 195.171.171.21 X (ns0.bt.net)
www.bankofthewest.com 207.114.194.101 X (dns1a.bankofthewest.com)
www.barclays.co.uk 213.219.1.141 X (dns1.lon7.telecityredbus.net)
www.capitalone.com 208.80.50.112 X (chia.arin.NET)
www.careerbuilder.com 208.82.6.22 X (smokey.careerbuilder.com)
www.chase.com 159.53.60.105 X (ns1.jpmorganchase.com)
chaseonline.chase.com 159.53.60.54 resources-cdc1.chase.com
www.citi.com 192.193.232.227 X (ns.citicorp.com)
www.citibank.com 192.193.232.227 X (ns.citicorp.com)
www.citimortgage.com 192.193.218.222 X (ns.citicorp.com)
www.cnn.com 157.166.224.25 X (twdns-02.ns.aol.com)
www.desjardins.com 142.195.128.44 desjardins.com
www.deutsche-bank.de 217.73.49.24 www.deutsche-bank.de
www.e-gold.com 209.200.169.10 unknown.prolexic.com
www.ebay.com 66.135.200.27 hp-core.ebay.com
www.etrade.com 12.153.224.22 etrade.com
www.facebook.com 69.63.184.143 www-11-03-ash1.facebook.com
www.fdic.gov 192.147.69.84 www.fdic.gov
www.friendfinder.com 208.88.180.81 X (ii53-30.friendfinderinc.com)
www.geocities.com 98.137.46.72 intl1.geo.vip.sp2.yahoo.com
www.halifax.co.uk 212.140.245.97 www.halifax.co.uk
www.hsbc.co.uk 193.108.74.126 X (ns3.hsbc.com)
www.jpmorganchase.com 159.53.60.166 X (ns1.jpmorganchase.com)
www.lloydstsb.com 193.34.230.181 X (ns2.lloydstsb.co.uk)
mail.google.com 66.102.1.19 he-in-f19.google.com
mail.live.com 64.4.20.186 dp4.mail.live.com
mail.yahoo.com 69.147.112.160 l2.login.vip.re3.yahoo.com
www.mbna.com 209.135.59.10 X (ns1.usi.net)
www.mbna.net 209.135.59.10 X (ns1.usi.net)
www.meebo.com 208.81.191.110 X (ns1.meebo.com)
messenger.yahoo.com 68.142.230.204 myc1.msg.vip.re2.yahoo.com
www.microsoft.com 207.46.193.254 wwwtk2test2.microsoft.com
www.nationwide.co.uk 155.131.127.10 www.nationwide.co.uk
www.networksolutions.com 205.178.187.13 www.networksolutions.com
www.newegg.com 216.52.208.185 X (pdns1.ultradns.net)
www.nordea.fi 195.215.15.166 www.nordea.fi
online.citibank.com 192.193.180.87 citibankonline.com
online.wellsfargo.com 151.151.13.132 psaltery-on.wellsfargo.com
www.orange.fr 193.252.122.103 www.orange.fr.b2.fti.net
pagead.googlesyndication.com 66.102.1.166 he-in-f166.google.com
partner.googleadservices.com 66.102.1.166 he-in-f166.google.com
www.paypal.com 64.4.241.49 node-64-4-241-4[...]orks.paypal.com
www.rbs.co.uk 155.136.80.222 X (ns0-08.dns.pipex.net)
www.schwab.com 162.93.224.80 wwwschwab-vip.schwab.com
www.sears.com 96.6.73.99 a96-6-73-99.dep[...]echnologies.com
www.secureworks.com 65.114.32.183 www.secureworks.net
smartzone.comcast.net 76.96.26.12 webmail3.emeryv[...]ail.comcast.net
www.smithbarney.com 192.193.20.126 X (ns.citicorp.com)
www.sparkasse.de 195.140.127.130 www.sparkasse.de
www.sterlingsavingsbank.com 12.19.55.215 sterlingsavingsbank.com
www.tdameritrade.com 204.58.27.105 beta-new.tdameritrade.com
www.ticketmaster.com 69.192.20.199 a69-192-20-199.[...]echnologies.com
www.trendmicro.com 204.141.87.33 X (auth1.ns.gin.ntt.net)
us.etrade.com 12.153.224.21 us.etrade.com
www.verisign.com 65.205.249.60 www.verisign.net
www.wachovia.com 169.200.183.139 X (sls-ns1.wachovia.com)
www.wamu.com 167.88.184.51 www.wamu.com
www.wellsfargo.com 151.151.88.133 percussion-dd.wellsfargo.com
westernunion.com 206.201.227.250 wumt1.westernunion.com
windowsupdate.microsoft.com 207.46.225.221 X (msnhst.microsoft.com)
wireless.att.com 135.209.208.191 origin-busine[...]eless.att.com
www.yahoo.com 69.147.76.15 f1.www.vip.re1.yahoo.com
2 popular names have a mild anomaly. The ownership suggested by the reverse name lookup does not match our understanding of the original name. The most likely cause is the site's use of a Content Delivery Network. Show all names.
Name IP Address Reverse Name/SOA
www.postbank.de 195.50.155.73 X (ns1.arcor-ip.de)
www.usbank.com 170.135.216.181 facts529.com, frysvisa.net, frysvisa.org, u-s-bank.us, u-s-bank.biz, u-s-bank.net, u-s-bank.org, usbanksl.com, usbtrust.com, vailbank.com, cachevisa.com, usbancorp.cc, usbancorp.us, usbancorp.biz, usbancorp.net, usbancorp.org, usbancorp.info, vailbanks.com
3 popular names have a mild anomaly: we are unable to find a reverse name associated with the IP address provided by your ISP's DNS server. This is most likely due to a slow responding DNS server or misconfiguration on the part of the domain owner. Show all names.
Name IP Address Reverse Name/SOA
www.f-secure.com 216.246.75.83 X
www.irs.gov 216.246.75.73 X
www.visa.com 216.246.75.91 X

DNS results wildcarding: OpenDNS

You appear to be using OpenDNS. OpenDNS, by default, deliberately returns addresses even for domain names which should not resolve. Instead of an error, the DNS server returns an address of 208.67.217.132, which resolves to hit-nxdomain.opendns.com. You can inspect the resulting HTML content here.

This is central to OpenDNS's business model. In order to profit from an otherwise free service, OpenDNS presents the users with advertisements whenever they make a typo in their web browser. You can disable this behavior through the OpenDNS Dashboard.

The big problem with this behavior is that it can potentially break any network application which relies on DNS properly returning an error when a name does not exist.

The following lists your DNS server's behavior in more detail.

Your ISP's DNS server returns IP addresses even for domain names which should not resolve. Instead of an error, the DNS server returns an address of 208.67.217.132, which resolves to hit-nxdomain.opendns.com. You can inspect the resulting HTML content here.

There are several possible explanations for this behavior. The most likely cause is that the ISP is attempting to to profit from customer's typos by presenting advertisements in response to bad requests, but it could also be due to an error or misconfiguration in the DNS server.

The big problem with this behavior is that it can potentially break any network application which relies on DNS properly returning an error when a name does not exist.

The following lists your DNS server's behavior in more detail.

* www.{random}.com is mapped to 208.67.217.132.
* www.{random}.org is mapped to 208.67.217.132.
* fubar.{random}.com is mapped to 208.67.217.132.
* www.yahoo.cmo [sic] is mapped to 208.67.217.132.
* nxdomain.{random}.netalyzr.icsi.berkeley.edu is mapped to 208.67.217.132.

Host Properties

System clock accuracy: OK
Your computer's clock agrees with our server's clock.

Browser properties
The following parameters are sent by your web browser to all web sites you visit:

* User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
* Accept: text/html,application/xhtml+xml,application/xml; q=0.9,*/*; q=0.8
* Accept Language: en-us,en;q=0.5
* Accept Encoding: gzip,deflate
* Accept Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
--
»www.Warpstock.org
]]> http://www.dslreports.com/forum/Tried-on-OOL-Boost-wOpenDNS-WRT54G-22526419 Wed, 10 Jun 2009 08:16:11 EDT http://www.dslreports.com/forum/Cant-confirm-the-transparent-DNS-hijacking-22523200
»koitsu.wordpress.com/2009/06/09/···traffic/]]> http://www.dslreports.com/forum/Cant-confirm-the-transparent-DNS-hijacking-22523200 Tue, 09 Jun 2009 16:48:21 EDT