Selected ISP Support > Earthlink DSL > [General] Earthlink DNS server pointing www.google.com to unknow

[General] Earthlink DNS server pointing www.google.com to unknow

Re: [General] Earthlink DNS server pointing www.google.com to un

reply to dm
Not coming from Earthlink. Could you have spyware or a new router that is altering your DNS queries?

will$ dig google.com @207.69.188.185
 
; <<>> DiG 9.7.3-P3 <<>> google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43599
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 2
 
;; QUESTION SECTION:
;google.com.INA
 
;; ANSWER SECTION:
google.com.124INA74.125.224.144
google.com.124INA74.125.224.147
google.com.124INA74.125.224.145
google.com.124INA74.125.224.146
google.com.124INA74.125.224.148
 
;; AUTHORITY SECTION:
google.com.114012INNSns3.google.com.
google.com.114012INNSns2.google.com.
google.com.114012INNSns4.google.com.
google.com.114012INNSns1.google.com.
 
;; ADDITIONAL SECTION:
ns4.google.com.345077INA216.239.38.10
ns2.google.com.344021INA216.239.34.10
 
;; Query time: 379 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Thu Sep 22 23:12:08 2011
;; MSG SIZE  rcvd: 212
 

DataPipe, Inc. DATAPIPE-BLK1 (NET-64-27-64-0-1) 64.27.64.0 - 64.27.127.255
American Registry for Internet Numbers NET64 (NET-64-0-0-0-0) 64.0.0.0 - 64.255.255.255
 

Definitely not spyware or new router. Confirmed with friend on different modem and different borough in NYC. He got this response as well:

Name: www.google.com
Addresses: 64.27.117.179
69.25.212.24

On the first nslookup try he got the right response which is what you posted. It took a couple queries before he got the last response. Which means 207.69.188.185 is probably pointing to a pool of servers hence different responses. One server in group is either poisoned, or their DNS redirect appliance (Barefruit?? or Paxfire) has been reconfigured maliciously/accidently, or Earthlink is testing new feature.

This has been happening to me for the past few days and I've been going crazy trying to figure it out. So glad I found this post. I noticed the same 64.27.117.179 issue as well. It seems to happen at random.

Also happening to me. I posted on the forums for Google and found other Earthlink users with the same problem.

I ran an app to find the fastest dns servers and i changed them and its working fine now.

This is a DNS HIJACK. It is only happening to those on Earthlink and therefore appears to be operated on behalf of them with full scale knowing of everything one queries back to them.

reply to dm
Can you guys provide a traceroute to ns1? It's anycasted and I've tried about ~200 queries without replicating the same result.

It could be I'm just going to a different pool.

reply to dm
Same google captcha request here, with another IP address given in the same block of addresses belonging to Datapipe. I'm also an earthlink customer in NYC. Anyone have ideas about how to get earthlink to stop doing this?

In San Diego, been having the same problem since Thursday. Wasted most of Thursday on malware hunt due to this. Engaged with Earthlink tech support Thursday night and they were not helpful, just wanted me to hard-code my DNS to their server via TCP/IP settings. Obviously that did no good seeing as it is apparently a redirect from their DNS pool to begin with.
Posted to Google forums and it looks like Earthlink customers across the country are affected.

reply to dm
What are what are the first three octets of your IP addresses. Maybe Earthlink is only returning those A records on specific networks.

eg. 111.111.111.*

A traceroute to ns1.earthlink.net would also be helpful as I'm sure that address is using anycast.

Got the same problem as OP (started same time, have the same IP adresses showing up) in Seattle, definitely an Earthlink problem.... wasted all of Friday hunting for malware....

reply to dm
I was able to confirm it

DrDPro:~ will$ dig www.google.com @207.69.188.185
 
; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8284
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
 
;; QUESTION SECTION:
;www.google.com.INA
 
;; ANSWER SECTION:
www.google.com.547802INCNAMEwww.l.google.com.
www.l.google.com.2INA74.125.224.51
www.l.google.com.2INA74.125.224.49
www.l.google.com.2INA74.125.224.52
www.l.google.com.2INA74.125.224.50
www.l.google.com.2INA74.125.224.48
 
;; AUTHORITY SECTION:
google.com.290130INNSns4.google.com.
google.com.290130INNSns2.google.com.
google.com.290130INNSns3.google.com.
google.com.290130INNSns1.google.com.
 
;; ADDITIONAL SECTION:
ns4.google.com.302326INA216.239.38.10
ns3.google.com.290380INA216.239.36.10
ns2.google.com.298586INA216.239.34.10
ns1.google.com.298479INA216.239.32.10
 
;; Query time: 87 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 20:25:38 2011
;; MSG SIZE  rcvd: 268
 
DrDPro:~ will$ dig www.google.com @207.69.188.185
 
; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5846
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
 
;; QUESTION SECTION:
;www.google.com.INA
 
;; ANSWER SECTION:
www.google.com.551399INCNAMEwww.l.google.com.
www.l.google.com.298INA74.125.224.82
www.l.google.com.298INA74.125.224.84
www.l.google.com.298INA74.125.224.80
www.l.google.com.298INA74.125.224.83
www.l.google.com.298INA74.125.224.81
 
;; AUTHORITY SECTION:
google.com.295854INNSns1.google.com.
google.com.295854INNSns2.google.com.
google.com.295854INNSns4.google.com.
google.com.295854INNSns3.google.com.
 
;; ADDITIONAL SECTION:
ns4.google.com.295574INA216.239.38.10
ns1.google.com.295573INA216.239.32.10
ns3.google.com.298038INA216.239.36.10
ns2.google.com.295574INA216.239.34.10
 
;; Query time: 87 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 20:25:39 2011
;; MSG SIZE  rcvd: 268
 
DrDPro:~ will$ dig www.google.com @207.69.188.185
 
; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26196
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.google.com.INA
 
;; ANSWER SECTION:
www.google.com.60INA64.27.117.179
www.google.com.60INA69.25.212.24
 
;; AUTHORITY SECTION:
www.google.com.65535INNSWSC2.JOMAX.NET.
www.google.com.65535INNSWSC1.JOMAX.NET.
 
;; Query time: 88 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 20:25:40 2011
;; MSG SIZE  rcvd: 120
 

reply to dm
Checked for this, querying DNS for google.com from 207.69.188.185 on my non-Earthlink Covad connection and I'm not seeing it. May be unique to Earthlink.

Possibly a piece of hardware only used by ELNK subscribers that has been compromised.

Disclaimer: This is only a theory based on an attempt at deductive reasoning. I have no proof that any piece of hardware has been compromised.

reply to dm
If you look up a non-existant domain, you will also get the Paxfire servers. It doesn't look like a cache poison. Earthlink has replaced Barefruit for the NXDOMAIN redirect and added Google proxing/sniffing.

will$ dig earthlinkyoufail.com @207.69.188.185
 
; <<>> DiG 9.7.3 <<>> earthlinkyoufail.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2040
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
 
;; QUESTION SECTION:
;earthlinkyoufail.com.INA
 
;; ANSWER SECTION:
earthlinkyoufail.com.60INA8.15.7.118
earthlinkyoufail.com.60INA63.251.179.22
 
;; AUTHORITY SECTION:
earthlinkyoufail.com.65535INNSWSC2.JOMAX.NET.
earthlinkyoufail.com.65535INNSWSC1.JOMAX.NET.
 
;; Query time: 529 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 22:08:18 2011
;; MSG SIZE  rcvd: 126
 

Very informative -- thanks for the help.

reply to dm

This is a Paxfire proxy...

Having the same issue - ran the Netalyzr tool with the following abnormal results:

Content-based HTTP proxy detection (?): Warning
Changes to headers or contents sent between the applet and our HTTP server show the presence of an otherwise unadvertised HTTP proxy.
The proxy rewrites the following styles of HTTP 404 responses:
Apache's default messages (see result)
custom-content messages (see result)
header-only, content-less messages (see result)

Direct probing of DNS resolvers (?)
The resolver at 207.69.188.185 was unable to process the following tested types:
EDNS0 (DNS extensions)
Medium (~1300B) TXT records
Large (~3000B) TXT records
Large (~3000B) TXT records fetched with EDNS0
It does not validate DNSSEC. It wildcards NXDOMAIN errors. Instead of an error it returns the following IP address(es): 8.15.7.118, 63.251.179.22. The resolver reports the following properties:
Hostname: adns-two.pdx.sa.earthlink.net
The resolver at 207.69.188.186 can process all tested types. It does not validate DNSSEC. It wildcards NXDOMAIN errors. Instead of an error it returns the following IP address(es): 8.15.7.118, 63.251.179.22. The resolver reports the following properties:
Hostname: rns-sneaky.atl.sa.earthlink.net
The resolver at 207.69.188.187 can process all tested types. It does not validate DNSSEC. It wildcards NXDOMAIN errors. Instead of an error it returns the following IP address(es): 92.242.140.1. The resolver reports the following properties:
Hostname: rns-catcall.atl.sa.earthlink.net
The resolver at 192.182.182.100 was unable to process the following tested types:
EDNS0 (DNS extensions)
Medium (~1300B) TXT records
Large (~3000B) TXT records
Large (~3000B) TXT records fetched with EDNS0
It does not validate DNSSEC. It wildcards NXDOMAIN errors. Instead of an error it returns the following IP address(es): 92.242.140.1. The resolver reports the following properties:
Hostname: mako.dns.atl.earthlink.net
Version: dnsmasq-2.38
Authors: Simon Kelley
Copyright: Copyright (C) 2000-2007 Simon Kelley

DNS results wildcarding (?): Warning
Your ISP's DNS server returns IP addresses even for domain names which should not resolve. Instead of an error, the DNS server returns an address of 92.242.140.1, which resolves to unallocated.barefruit.co.uk. You can inspect the resulting HTML content here.
There are several possible explanations for this behavior. The most likely cause is that the ISP is attempting to profit from customer's typos by presenting advertisements in response to bad requests, but it could also be due to an error or misconfiguration in the DNS server.
The big problem with this behavior is that it can potentially break any network application which relies on DNS properly returning an error when a name does not exist.
The following lists your DNS server's behavior in more detail.
www.{random}.com is mapped to 92.242.140.1.
www.{random}.org is mapped to 92.242.140.1.
fubar.{random}.com is mapped to 92.242.140.1.
www.yahoo.cmo [sic] is mapped to 92.242.140.1.
nxdomain.{random}.netalyzr.icsi.berkeley.edu is mapped to 92.242.140.1.
Another problem with the DNS server is its response to a server failure. Instead of properly returning an error when it cannot contact the DNS authority, the DNS server returns an address of 92.242.140.1. Since transient failures are quite common this can be significantly disruptive, turning a transient failure into a wrong answer without any notification to the application doing the name lookup.

DNS support for IPv6 (?): Warning
The DNS resolver you are using deliberately manipulates results. This can prove problematic, as you will be unable to contact an IPv6-only site: the DNS resolver is giving incorrect results for a system which has only an IPv6 address. We expected the applet to only receive cafe:babe:66:0:0:0:0:1 (an IPv6 address), instead it received the following address: 92.242.140.1.
Your DNS resolver is not on Google's IPv6 "whitelist", which means that Google does not enable IPv6 access to their services for you.

reply to nweaver

How to prevent this...

Those on Earthlink DSL provisioned via COVAD can also use COVAD's DNS servers to get around this behavior.

»aol.covad.net/onlinesupportcente···ns.shtml