Shady DNS Redirection Revisited

Note: This was first posted to my personal website on April 20, 2006 but has been moved here as a result of continued DDoS attacks on my server.

I’ve gotten a few emails related to this topic but I just noticed them today (one of the dangers of having more than a dozen pop3 accounts). My apologies for the delay.

I’ve also been stifled by a DDoS attack that is apparently being directed at this blog. I have no idea what that’s all about.

In regard to how I got rid of this f*****g plague, well, there was nothing glamourous, heroic, or even technical about it I’m afraid.

I just waited.

The redirections from wc.funnel.revenuedirect.com.akadns.net ended approximately 24 hours after they began. That would sound about right since a lot of DNS servers are configured with 24 hour minimum ttl.

I do have a theory about how this is occurring on live domains that are not undergoing name server changes, but It’s not coherent enough to be published yet. I’ll get to it as soon as I can.

My best advice would be this:

• Never let your domain sit for even a short period of time without a valid name server registered at your registrar.
• Make sure your domain’s zone exists on your new name server before you even attempt a changeover. In spite of the 24-48 hour propogation cycle that people expect, registrars can often propogate name server changes in under an hour. GoDaddy does it almost instantly.
• Contact friends at other ISPs to see if they are having the same problem (not always practical, I know).
• Contact your ISP and ask them to manually scavenge the DNS records for your zone (good luck with that) to ensure their DNS server is resolving with the most recent records.

That’s all I’ve got for now, but I’ll keep looking for answers. If anyone has some additional insight or intel, please feel free to post it in the comments.

Google is being Evil. (maybe Roadrunner too)

Note: This was first posted to my personal website on January 17, 2006 but has been moved here as a result of continued DDoS attacks on my server.

A funny thing happened when I moved darelparker.com to my new colocation server. Well, not so much funny as disturbing and deceptive.

After changing the registered name servers for my domain, my browser began displaying a banner infested pseudo-search engine at an IP address I’ve never heard of.

And it looks like spyware isn’t the cause.

If this was a client’s PC, I’d immediately blame spyware or a trojan, install Microsoft AntiSpyware and just move along.

But wait. This is my own domain being hijacked on my own machine and I’ve never had a spyware infection…ever. What the hell is going on?

I check the site on my second home pc. Same thing. My laptop? Ditto.

I visit a friend who also has Roadrunner Internet service. Sure enough, darelparker.com returns the same banner/search page. This sucks.

Viewing the page code reveals domain parking information belonging to Oingo.com, the main page of which redirects to a company called Applied Semantics (www.appliedsemantics.com). According to a linked press release on Google’s own website, Applied Semantics has been purchased by Google. That’s interesting.

Searching for Oingo.com on Google turns up, literally, nothing. That’s a little frightening.

Searching for Oingo.com on Yahoo! turns up only a few relevant pages, but one describes a Mac user with a similar problem. A Mac with the same problem? Scratch spyware.

A quick DNS query returns some strange results.

NSLOOKUP from Roadrunner default DNS server (WTF?)

C:\Documents and Settings\dparker>nslookup darelparker.com
Server: austtx-dns-cac-fn.texas.rr.com
Address: 24.93.41.125

Non-authoritative answer:
Name: wc.funnel.revenuedirect.com.akadns.net
Addresses: 66.150.161.58, 69.25.47.165
Aliases: darelparker.com.home.darelparker.com, wc.traffic.puredns.com

A whois query tells me that wc.funnel.revenuedirect.com.akadns.net is in a subnet owned by Dotster. Why the hell are they responding to DNS queries for my domain?

Furthmore, a whois query of darelparker.com returns the correct name servers so that’s not the problem:

Domain servers in listed order:
NS1.DISKVAULT.NET
NS2.DISKVAULT.NET

One last thing. I run a lookup from another ISP’s DNS server which returns the correct web server IP.

NSLOOKUP from another ISP’s DNS server (Correct)

C:\Documents and Settings\dparker>nslookup darelparker.com 170.76.16.5
Server: dnsmtx.tiagris.net
Address: 170.76.16.5

Non-authoritative answer:
Name: darelparker.com
Address: 147.202.67.234

Looks like Roadrunner is the one with the problem.

A little background history that only partially explains what is happening.

Several months ago I purchased a second colocation server to reduce the workload on my primary server. Since then I’ve been moving some of my domains onto the new server as well as changing the registered name servers for those domains since the new box acts as the name server for hosted domains automatically.

Typically, I’ll create a hosting account on my server, change the name servers at the registrar (GoDaddy rocks!), and wait a few minutes. No problem.

At the time I moved darelparker.com to the new server, I changed the name servers at the registrar before I created a hosting account - and DNS records - on my new server.

Essentially, my domain existed for several minutes with registered name servers that didn’t contain any DNS records for the domain. If someone had tried to visit the site, they would get a DNS error message. But I can live with a few minutes of down time so no big deal, right?

However, once the hosting account was created and the DNS records were properly configured, the name server should have responded to DNS queries allowing browsers to find the domain.

But instead of seeing my beloved Wordpress front end, the banner infested search page reared it’s ugly head. And at least on Roadrunner’s service, the banner/search page continued to appear for about 24 hours after the changeover.

All of this raises a few questions:

Why is Google’s new company, Oingo.com, serving ads on domain parking pages for domains that are inactive - even for a few minutes? Is Google responsible for a new DNS hijacking scheme similar to the Network Solutions fiasco?

Is a DNS server - which shouldn’t even be responding to queries - forcing wildcard DNS records with 24 hour TTLs to keep visitors redirected for much longer than necessary?

And why is Roadrunner’s DNS servers sending queries to wc.funnel.revenuedirect.com.akadns.net in the first place?

So far, I haven’t found any good answers, but I’ll let you know when I do.

Related links

• http://forums.macosxhints.com/archive/index.php/t-44980.html
• http://castlecops.com/check62669previous.html
• http://www.neowin.net/forum/lofiversion/index.php/themes/%3Cbr%20/t28984.html
• http://www.flickr.com/forums/help/1644/#reply8234
• http://www.cybervillage.com/blog/categories/new-millennium-security
• http://www.cableforum.co.uk/board/archive/index.php/t-19009.html
• http://forums.spywareinfo.com/lofiversion/index.php/t43081.html

The DDoS Limbo

If you're reading this, it's because my website is down. Again.

For the third time in as many weeks, my personal blog, www.darelparker.com, has been hit with a distributed denial of service attack. Not "affected by", but directly targeted.

I know this because it's the only website at the IP address that was attacked. Three weeks ago, it had a different IP address which was - you guessed it - also attacked.

Not much controversy on my website, but I have noticed that as of late, I've been getting a bunch of traffic for an article I wrote, critical of an apparent DNS hijacking scheme, the source of which no one seems able to identify.

To be sure, the colocation facility has verified this to be a DDoS and not a Slashdotting or Digg, so I'm wondering WTF is going on. Did I piss somebody off?