DNS Cache Poisoning

[Kevin1911]

Evening all.

I've been noticing some unusually odd behaviour on my home network over the weekend. Things like the eBay app on my phone saying there's no network, when the WiFi is working fine, but then working ok when I disconnect from WiFi. That, and an unusually large number of Certificate Errors for sites such as ebay.co.uk and amazon.co.uk.

On further investigation, I think we may be subject to some DNS Cache Poisoning. I've noticed the DNS responses for www.ebay.co.uk seem to be changing frequently between legitimate responses, and non-legitimate responses. See below:

C:\Windows\system32>nslookup www.ebay.co.uk
Server: broadband.bt.com
Address: 2a00:23c5:4f8a:c600::1

Non-authoritative answer:
Name: e11847.g.akamaiedge.net
Address: 92.122.166.107
Aliases: www.ebay.co.uk
slot11847.ebay.com.edgekey.net


C:\Windows\system32>nslookup www.ebay.co.uk
Server: broadband.bt.com
Address: 2a00:23c5:4f8a:c600::1

Name: www.ebay.co.uk
Address: 185.244.150.17


C:\Windows\system32>nslookup www.ebay.co.uk
Server: broadband.bt.com
Address: 2a00:23c5:4f8a:c600::1

Non-authoritative answer:
Name: www.ebay.co.uk
Address: 185.244.150.17


C:\Windows\system32>nslookup www.ebay.co.uk
Server: broadband.bt.com
Address: 2a00:23c5:4f8a:c600::1

Non-authoritative answer:
Name: e11847.g.akamaiedge.net
Address: 92.122.166.107
Aliases: www.ebay.co.uk
slot11847.ebay.com.edgekey.net


C:\Windows\system32>nslookup www.ebay.co.uk
Server: broadband.bt.com
Address: 2a00:23c5:4f8a:c600::1

Non-authoritative answer:
Name: e11847.g.akamaiedge.net
Address: 92.122.166.107
Aliases: www.ebay.co.uk
slot11847.ebay.com.edgekey.net


C:\Windows\system32>

Our router is an Asus RT-N66U running Merlin firmware. I'm sure I had configured it to use google DNS servers, but when I went in to check earlier, those DNS servers were not configured, and they were just blank.
I've added them back in, but still seeing wrong DNS responses.

I've changed the WiFi password, but not sure what else I can do. I've run Anti-malware and anti-virus scans - a few malware registry keys were found but nothing else. Does anyone have any suggestions?

 

[ColinTaylor]

It looks like your router has been hacked. See here: https://www.snbforums.com/threads/asus-rt-ac66u-dns-hacking.45261/page-2#post-388881

 

[Kevin1911]

Yep! That's it exactly! I just realised there are DNS servers configured on both the LAN and the WAN pages of the router. I had changed the LAN back to Google (and now BT), but the WAN was still sitting with 185.183.96.149 as the primary DNS - which I had never configured.

Very alarming! I can't be sure if this has been set by someone hacking in or by a UPNP device on my LAN doing some on-the-fly router config. I just set up a new QNAP NAS the other day and it wanted to do some router config to get the cloud thing working.

 

[ColinTaylor]

Did you enable Web Access from WAN? That seems to be the most common way these routers are being hacked.

What firmware version are you running?

 

[Kevin1911]

Did you enable Web Access from WAN? That seems to be the most common way these routers are being hacked.

What firmware version are you running?

Yes, that was enabled - although the password was pretty random. I've now disabled the admin username too.

Running firmware 380.69.

 

[coxhaus]

To bad there is not a way to lock your router to only a couple DNS servers. That way if your router's DNS gets changed then DNS will fail and you will know you have been hacked. I use access lists on my router to lock my router.

 

[ColinTaylor]

Yes, that was enabled - although the password was pretty random. I've now disabled the admin username too.

That's almost certainly how they got in. It doesn't matter what the user name and password were. Never have that option enabled.

Running firmware 380.69.

You need to do a factory reset on your router and manually reconfigure it (or use a backup settings file that is sufficiently old that you are certain it was taken before the hack). After that update to the latest firmware. But longer term you need to use a different firmware because Merlin has dropped support for the N66U.

 

[sfx2000]

But longer term you need to use a different firmware because Merlin has dropped support for the N66U.

I think John is still supporting the N66U with his branch...

 

[sfx2000]

When changing/updating the DNS servers on the router, don't forget to clear the local DNS cache on the LAN computers...

Windows 10/8/7/XP

ipconfig /flushdns

OSX (except for 10.10)

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Many linuxes - check first

/etc/init.d/named restart

or

/etc/init.d/nscd restart

 

[Kevin1911]

Doesn't the web interface need to be enabled to allow DDNS to work for inbound VPNing to work? If I disable the web interface, will it still work?

I saw that Merlin support had ended - a perfect excuse for me to buy something new. Can't decide what though - we have BT Whole Home WiFi for the wifi now, so really only need a router to do VPN, DHCP, DNS and Firewalling. Tempted to get a Cisco of some sort - try to keep my skills sharp from getting too blunt

 

[ColinTaylor]

Doesn't the web interface need to be enabled to allow DDNS to work for inbound VPNing to work? If I disable the web interface, will it still work?

No, they are 3 different things.

 

[Kevin1911]

OK, thanks Colin, I'll get that disabled asap

 

[coxhaus]

Doesn't the web interface need to be enabled to allow DDNS to work for inbound VPNing to work? If I disable the web interface, will it still work?

I saw that Merlin support had ended - a perfect excuse for me to buy something new. Can't decide what though - we have BT Whole Home WiFi for the wifi now, so really only need a router to do VPN, DHCP, DNS and Firewalling. Tempted to get a Cisco of some sort - try to keep my skills sharp from getting too blunt

If you want to try a Cisco router the RV320 router is going cheap on eBay right now. It has the ACL capability to lock the DNS servers. I have a thread some where here. Let me know if you need me to find it. My DNS was hacked in the old days also.

The RV340 router is current. It is a little more expensive.

 

[ColinTaylor]

If you want to try a Cisco router the RV320 router is going cheap on eBay right now. It has the ACL capability to lock the DNS servers.

@coxhaus What's the current situation with support for second hand Cisco equipment? When I was dealing with their enterprise kit a few years ago you couldn't download any of the firmware updates without having a current support contract. If that's the same for these units on eBay then that makes them a much more expensive (or insecure) proposition.

 

[coxhaus]

Cisco small business hardware has free software updates. You do not need to buy new or register your equipment. I buy some new and some used. It just depends if I want the latest or not. Buying used is a good way to test the water to really see if it is what I want.

When I was working on Cisco pro gear if you bought used it had to be Cisco certified before you could get TAC support. This was an extra expense for buying used. TAC support has all firmware updates for pro gear.

 

[System Error Message]

your router wasnt hacked, your DNS was hijacked. Your DNS was using p2p based and BT's own hijack to ensure that their blocking of website sticks. Use DNSCrypt with a provider that supports it.

ASUS routers have ACLs too using RMerlin's firmware using iptables via SSH.

 

[ColinTaylor]

your router wasnt hacked, your DNS was hijacked. Your DNS was using p2p based and BT's own hijack to ensure that their blocking of website sticks.

That's rather surprising. So how did they manage to change his router's configuration (see post #3), and why would BT direct it to a Dutch hosting company?

 

[ColinTaylor]

Just to add, the Dutch hosting company is Host Sailor, a "cyber-attack facilitator in the Netherlands."

https://krebsonsecurity.com/tag/hostsailor-com/

 

[coxhaus]

You need to look at your PC and see which DNS it is using. IF it uses the router DNS then the router was changed. If it is using a DNS server on the PC then your PC was changed. If you use a local DNS then it could have been changed.
One other thing to check is your host file. It is possible it was changed on the PC. More than likely it was your router.

 

[coxhaus]

ASUS routers have ACLs too using RMerlin's firmware using iptables via SSH.

iptables and ACLs are not the same. With ACLs you can enter 1 statement to block a port, IPs, or etc for both source and destination in a couple of seconds. Try doing that in iptables.