Weird website issue - seem to be something with the router..

[ex313]

If I browse to this website:
http://heroesforhire.us

I get a page off this website:
https://www.spiceoflifepharmacy.com

1. It only happens on devices connected to the router.
2. It happens on two different PC, all browsers and my android mobile
3. If I engage the VPN on the PC or switch to Verizion data - I get the correct website.
4. If I bypass the router and connect directly to Spectrum - I get the correct site.
5. I have tried a power reset, changing DNS servers - nothing changes it.
6. Cleared browser data, Windows DNS Cache - no effect.
7. If I navigate to any subpage the correct site comes up. (ex: http://heroesforhire.us/?page_id=17)

I am running an AC-1900P on 384.13. Did a full reset on the last firmware update, is there something I am missing?? Some routing table setting or cache that I have failed to clear?

Thanks !

 

[doczenith1]

Website loads fine for me. I'm using cloudflare DoT.

 

[Makaveli]

Site loads find for me also.

 

[ex313]

This is what I get - but only through the router. The website is fine through any other connection.

 

[dave14305]

This is what I get - but only through the router. The website is fine through any other connection.

Looks like your browser has been hijacked. Any unfamiliar extensions?

 

[ex313]

One the mobile - here is wifi:

here is on 4G

 

[ex313]

Looks like your browser has been hijacked. Any unfamiliar extensions?

It does it on multiple browsers, machines, multiple platforms. If I turn on my VPN the site comes up correct. Only variable is the router.

 

[dave14305]

Only variable is the router.

And your ISP.

 

[Treadler]

No issues/strangeness seen here with either of those sites.

 

[ColinTaylor]

Do an nslookup on heroesforhire.us from each device (and check what DNS server you're going to). It's possible that the domain name entry has been poisoned on certain servers.

 

[ex313]

And your ISP.

My desktop is hardwired. If I unplug my machine from the router and directly in to the cable modem, the site comes up fine. Plug it back into the router and the anomaly occurs.

 

[ex313]

Do an nslookup on heroesforhire.us from each device (and check what DNS server you're going to). It's possible that the domain name entry has been poisoned on certain servers.

From the router:

Server: 1.1.1.1
Address 1: 1.1.1.1 one.one.one.one
Name: heroesforhire.us
Address 1: 184.168.139.84 ip-184-168-139-84.ip.secureserver.net

From a website on the desktop:
name class type data time to live
heroesforhire.us IN A 184.168.139.84 3600s (01:00:00)
heroesforhire.us IN NS ns01.domaincontrol.com 3600s (01:00:00)
heroesforhire.us IN NS ns02.domaincontrol.com 3600s (01:00:00)
heroesforhire.us IN SOA
server: ns01.domaincontrol.com
email: dns@jomax.net
serial: 2019030504
refresh: 28800
retry: 7200
expire: 604800
minimum ttl: 600
3600s (01:00:00)
heroesforhire.us IN MX
preference: 10
exchange: remote.heroesforhire.us
3600s (01:00:00)
heroesforhire.us IN TXT v=spf1 a mx ~all 3600s (01:00:00)

From the PC
Server: heroesforhire.us
Address: 184.168.139.84
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to heroesforhire.us timed-out

 

[dave14305]

From the PC
Server: heroesforhire.us
Address: 184.168.139.84
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to heroesforhire.us timed-out

This is interesting.

What DNS servers do you see configured if you run "ipconfig /all". Do you use DNSFilter at the router? If so, what settings?

 

[ColinTaylor]

From the PC
Server: heroesforhire.us
Address: 184.168.139.84
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to heroesforhire.us timed-out

Looks like the DNS server your PC is using isn't working properly. Presumably it's using a DNS server on the router?

 

[ex313]

If I run ipconfig /all - I see the router ip 192.168.54.1 - no individual dns servers which are currently set as 1.1.1.1 and 1.0.0.1.
If I manually set those address in windows - they will populate in the command prompt and I see the same result when I try to browse that URL.

 

[ex313]

Looks like the DNS server your PC is using isn't working properly. Presumably it's using a DNS server on the router?

I changed from cloudflare to google servers 8.8.8.8 and 8.8.4.4 and get the same result. Is it possible that there is some DNS filtering going on at the router?

 

[dave14305]

If I run ipconfig /all - I see the router ip 192.168.54.1 - no individual dns servers which are currently set as 1.1.1.1 and 1.0.0.1.
If I manually set those address in windows - they will populate in the command prompt and I see the same result when I try to browse that URL.

I just realized your output shows heroesforhire.us as the Server not the Name. You may have mistyped your nslookup command.

 

[ColinTaylor]

I changed from cloudflare to google servers 8.8.8.8 and 8.8.4.4 and get the same result. Is it possible that there is some DNS filtering going on at the router?

Are you using DoT, VPN or ad-blocking? If so try disabling those.

 

[ex313]

I just realized your output shows heroesforhire.us as the Server not the Name. You may have mistyped your nslookup command.

Here are two tests - one using the DNS from the router - the other from google dns servers - seems like same results.

C:\Users\XXXX>nslookup -debug heroesforhire.us
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
1.54.168.192.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 1.54.168.192.in-addr.arpa
name = router.asus.com
ttl = 0 (0 secs)
------------
Server: router.asus.com
Address: 192.168.54.1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
heroesforhire.us, type = A, class = IN
ANSWERS:
-> heroesforhire.us
internet address = 184.168.139.84
ttl = 2421 (40 mins 21 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
heroesforhire.us, type = AAAA, class = IN
AUTHORITY RECORDS:
-> heroesforhire.us
ttl = 600 (10 mins)
primary name server = ns01.domaincontrol.com
responsible mail addr = dns.jomax.net
serial = 2019030504
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 600 (10 mins)
------------
Name: heroesforhire.us
Address: 184.168.139.84
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
8.8.8.8.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 8.8.8.8.in-addr.arpa
name = dns.google
ttl = 21427 (5 hours 57 mins 7 secs)
------------
Server: dns.google
Address: 8.8.8.8
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
heroesforhire.us, type = A, class = IN
ANSWERS:
-> heroesforhire.us
internet address = 184.168.139.84
ttl = 2736 (45 mins 36 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
heroesforhire.us, type = AAAA, class = IN
AUTHORITY RECORDS:
-> heroesforhire.us
ttl = 599 (9 mins 59 secs)
primary name server = ns01.domaincontrol.com
responsible mail addr = dns.jomax.net
serial = 2019030504
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 600 (10 mins)
------------
Name: heroesforhire.us
Address: 184.168.139.84

 

[ex313]

Are you using DoT, VPN or ad-blocking? If so try disabling those.

No - but if I turn the VPN on - the site loads properly.