[lug] Suspicous: "host"/"DNS" Showing Odd Results (Fedora)
blug-mail at duboulder.com
Mon Sep 3 16:38:55 MDT 2018
It looks like the ip might be near southern california. I also see
muliple PTRs for that address from a dns server in an ip block
apparently owned by comcast.
From a non-comcast/non-centurylink connection:
$ host -a 188.8.131.52 (using a local dns resolver)
184.108.40.206.in-addr.arpa. 6937 IN PTR urlrw01.cable.comcast.com.
220.127.116.11.in-addr.arpa. 6937 IN PTR civrightsvoices.com.
$ dig +trace -x 18.104.22.168
22.214.171.124.in-addr.arpa. 7200 IN PTR urlrw01.cable.comcast.com.
126.96.36.199.in-addr.arpa. 7200 IN PTR civrightsvoices.com.
;; Received 123 bytes from 188.8.131.52#53(dns104.comcast.net) in 56 ms
$ whois 184.108.40.206
NetRange: 220.127.116.11 - 18.104.22.168
Parent: NET68 (NET-68-0-0-0-0)
NetType: Direct Allocation
Organization: Comcast Cable Communications, LLC (CCCS)
$ traceroute -I 22.214.171.124
1 126.96.36.199 (188.8.131.52) 23.740 ms 23.715 ms 23.715 ms
2 8-1-36.ear3.Denver1.Level3.net (184.108.40.206) 2.619 ms 2.850 ms 3.093 ms
3 * * *
4 220.127.116.11 (18.104.22.168) 16.672 ms 16.686 ms 16.682 ms
5 bu-ether12.tustca4200w-bcr00.tbone.rr.com (22.214.171.124) 45.076 ms 45.115 ms 45.111 ms
6 126.96.36.199 (188.8.131.52) 50.072 ms 47.566 ms 47.344 ms
7 agg1.pldscabx02r.socal.rr.com (184.108.40.206) 51.651 ms 53.990 ms 53.978 ms
8 agg1.indica8102h.socal.rr.com (220.127.116.11) 62.390 ms 67.853 ms 67.791 ms
9 agg2.indica8101m.socal.rr.com (18.104.22.168) 49.038 ms 49.120 ms 49.198 ms
10 * * *
On 09/03/2018 03:10 PM, stimits at comcast.net wrote:
> I realize the "host" command can show more than one source, but it seems I have a case which is suspicious. While looking for problems of why something was crashing on firefox I added many packages to enable running in gdb and taking a backtrace. It seems SSL had locked up and crashed (fully updated).
> So I've noticed that sometimes when I ping comcast.net I see what I believe is not legitimate:
> 64 bytes from civrightsvoices.com (22.214.171.124): icmp_seq=1 ttl=56 time=13.8 ms
> At other times I see this, which is probably correct:
> 64 bytes from urlrw01.cable.comcast.com (126.96.36.199): icmp_seq=1 ttl=56 time=19.4 ms
> What got more interesting is the "host" command (I do believe 188.8.131.52 is actually comcast):
>> host 184.108.40.206220.127.116.11.in-addr.arpa domain name pointer civrightsvoices.com.18.104.22.168.in-addr.arpa domain name pointer urlrw01.cable.comcast.com.
> When it is purely the one I believe is valid there is no lockup or crash. Sometimes when both show up it seems to be ok, but all firefox lockups only occur under those conditions.
> In the past I checked out what happens when resolv.conf has one of the open DNS servers instead of comcast's, and found performance was terrible. The open DNS server entry was long since deleted and reboot has generated a purely comcast resolv.conf (the entire system and DHCP has been restarted multiple times since then, and so has the cable modem). There is no reason (that I know of) why any other DNS server would be used other than comcast's. Is there something equivalent to a verbose trace of the "host" command to see more details? Would I need to snoop the traffic?
> FYI, the ping and host commands do this with root and other accounts without ever using a web browser (the issue is not confined to web browsers nor user accounts). Just in case, for firefox, I did delete all cache and cookies. I actually did a recursive find of regular files for the entire file system and put them through grep doing a case insensitive search for "civrightsvoices" and nothing showed up from the entire file system. I'm thinking this is something provided from the network source and is not part of my computer (perhaps comcast's DNS was hacked?). I've concluded that it is unlikely anything on my system has been compromised (and I do keep close watch and firewalling).
> Is there something odd when ping and host show two sources for 22.214.171.124? I could see two comcast names or pointers, but so far as I know "civrightsvoices.com" is unrelated to comcast and there should not be two domain pointers from different domains replying to comcast's DNS requests. How would I trace the cause of seeing "civrightsvoices.com" in some DNS queries and ping? Would I need to snoop traffic?
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
More information about the LUG