Note: This was first posted to my personal website on January 17, 2006 but has been moved here as a result of continued DDoS attacks on my server.
A funny thing happened when I moved darelparker.com to my new colocation server. Well, not so much funny as disturbing and deceptive.
After changing the registered name servers for my domain, my browser began displaying a banner infested pseudo-search engine at an IP address I’ve never heard of.
And it looks like spyware isn’t the cause.
If this was a client’s PC, I’d immediately blame spyware or a trojan, install Microsoft AntiSpyware and just move along.
But wait. This is my own domain being hijacked on my own machine and I’ve never had a spyware infection…ever. What the hell is going on?
I check the site on my second home pc. Same thing. My laptop? Ditto.
I visit a friend who also has Roadrunner Internet service. Sure enough, darelparker.com returns the same banner/search page. This sucks.
Viewing the page code reveals domain parking information belonging to Oingo.com, the main page of which redirects to a company called Applied Semantics (www.appliedsemantics.com). According to a linked press release on Google’s own website, Applied Semantics has been purchased by Google. That’s interesting.
Searching for Oingo.com on Google turns up, literally, nothing. That’s a little frightening.
Searching for Oingo.com on Yahoo! turns up only a few relevant pages, but one describes a Mac user with a similar problem. A Mac with the same problem? Scratch spyware.
A quick DNS query returns some strange results.
NSLOOKUP from Roadrunner default DNS server (WTF?)
C:\Documents and Settings\dparker>nslookup darelparker.com
Server: austtx-dns-cac-fn.texas.rr.com
Address: 24.93.41.125
Non-authoritative answer:
Name: wc.funnel.revenuedirect.com.akadns.net
Addresses: 66.150.161.58, 69.25.47.165
Aliases: darelparker.com.home.darelparker.com, wc.traffic.puredns.com
A whois query tells me that wc.funnel.revenuedirect.com.akadns.net is in a subnet owned by Dotster. Why the hell are they responding to DNS queries for my domain?
Furthmore, a whois query of darelparker.com returns the correct name servers so that’s not the problem:
Domain servers in listed order:
NS1.DISKVAULT.NET
NS2.DISKVAULT.NET
One last thing. I run a lookup from another ISP’s DNS server which returns the correct web server IP.
NSLOOKUP from another ISP’s DNS server (Correct)
C:\Documents and Settings\dparker>nslookup darelparker.com 170.76.16.5
Server: dnsmtx.tiagris.net
Address: 170.76.16.5
Non-authoritative answer:
Name: darelparker.com
Address: 147.202.67.234
Looks like Roadrunner is the one with the problem.
A little background history that only partially explains what is happening.
Several months ago I purchased a second colocation server to reduce the workload on my primary server. Since then I’ve been moving some of my domains onto the new server as well as changing the registered name servers for those domains since the new box acts as the name server for hosted domains automatically.
Typically, I’ll create a hosting account on my server, change the name servers at the registrar (GoDaddy rocks!), and wait a few minutes. No problem.
At the time I moved darelparker.com to the new server, I changed the name servers at the registrar before I created a hosting account - and DNS records - on my new server.
Essentially, my domain existed for several minutes with registered name servers that didn’t contain any DNS records for the domain. If someone had tried to visit the site, they would get a DNS error message. But I can live with a few minutes of down time so no big deal, right?
However, once the hosting account was created and the DNS records were properly configured, the name server should have responded to DNS queries allowing browsers to find the domain.
But instead of seeing my beloved Wordpress front end, the banner infested search page reared it’s ugly head. And at least on Roadrunner’s service, the banner/search page continued to appear for about 24 hours after the changeover.
All of this raises a few questions:
Why is Google’s new company, Oingo.com, serving ads on domain parking pages for domains that are inactive - even for a few minutes? Is Google responsible for a new DNS hijacking scheme similar to the Network Solutions fiasco?
Is a DNS server - which shouldn’t even be responding to queries - forcing wildcard DNS records with 24 hour TTLs to keep visitors redirected for much longer than necessary?
And why is Roadrunner’s DNS servers sending queries to wc.funnel.revenuedirect.com.akadns.net in the first place?
So far, I haven’t found any good answers, but I’ll let you know when I do.
Related links