Routing Problems: www.google.de -> blog.zeit.de???

English Network/Internet
#1

Hi there!
I am really confused by now: My internet connection is really behaving in a funny way. Sometimes when i am trying to connect to a website another website is opened and displayed in the browser although the right domain name is shown.
I can give an example: traceroute:


traceroute to www.google.de (66.150.96.119), 30 hops max, 40 byte packets
 1  SE515.home (192.168.1.1)  1.665 ms   1.804 ms   1.953 ms
 2  * * *
Unable to look up 217.0.70.202: Temporärer Fehler bei der Namensauflösung
 3  217.0.70.202  774.735 ms   954.309 ms   951.729 ms
 4  f-eb5.F.DE.net.DTAG.DE (62.154.17.58)  959.488 ms   956.341 ms   954.622 ms
Unable to look up 62.156.128.98: Temporärer Fehler bei der Namensauflösung
 5  62.156.128.98  952.688 ms   950.192 ms   947.157 ms
 6  xe-1-1-0.r21.frnkge03.de.bb.gin.ntt.net (129.250.2.12)  945.831 ms xe-3-2.r00.frnkge03.de.bb.gin.ntt.net (129.250.2.224)  1057.346 ms xe (129.250.2.12)  941.213 ms
 7  xe-1-1-0.r20.frnkge03.de.bb.gin.ntt.net (129.250.2.240)  936.730 ms xe-1-0-0.r20.frnkge03.de.bb.gin.ntt.net (129.250.2.148)  935.858 ms weather.yahooapis.com (129.250.2.240)  933.733 ms
 8  p64-3-3-0.r22.londen03.uk.bb.gin.ntt.net (129.250.2.20)  1454.861 ms   1451.347 ms   1447.583 ms
 9  as-0.r20.nycmny01.us.bb.gin.ntt.net (129.250.3.254)  1502.022 ms   1499.417 ms   1497.563 ms
10  ae-0.r21.nycmny01.us.bb.gin.ntt.net (129.250.2.26)  1496.065 ms   1492.416 ms   1516.930 ms
11  p64-2-0-0.r20.chcgil09.us.bb.gin.ntt.net (129.250.5.4)  1537.698 ms   1534.473 ms   1538.654 ms
12  * * *
13  xe-3-3.r01.chcgil09.us.ce.gin.ntt.net (129.250.208.6)  1620.979 ms   1613.415 ms   1606.714 ms
14  border5.te8-1-bbnet2.chg.pnap.net (64.94.32.74)  2091.983 ms   2070.137 ms   2070.590 ms
15  blog.zeit.de (66.150.96.119)  2069.386 ms   2066.851 ms   2064.191 ms

My guess is that somehow the routing is wrong, however, I can not reproduce this behavior. The domain names that get mixed up are kind of random. It only stays that way for about 5-10 minutes.

Any tips at where I can start???

#2

The initial resolution of Google appears to be wrong. What nameserver(s) are you using? Are they your ISP’s nameservers? It could be somebody attempting a DNS poisoning attack on BIND.

#3

Thanks for the quick reply ken_yap!
I was thinking about that too. My /etc/resolv.conf only has my local router as name server.
I checked the local net with wireshark and didn’t notice anything suspicious, though.
My router uses 217.237.150.205 (primary) and 217.237.149.142 (secondary) as name servers. If I look them up with dnsstuff.com they are inside the ip range of my provider but how can I check if they are real name servers?

#4

They probably are real name servers belonging to your ISP, a reverse lookup shows that they are in t-ipnet.de but they may not have been patched (surprising lapse of your ISP if true).

Go to DoxPara Research and on the RHS you will see a DNS checker. Click on it and wait for the results. If it says your nameservers are vulnerable, your ISP should be notified immediately. You, not somebody else, have to do this check because you are using their servers.

#5

Hi! Sadly that’s not it… I actually remembered the page after I checked this…
Is there a way to do that to the router?

Your ISP's name server, 217.237.150.204, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 7a7b7580c14a.doxdns5.com:
217.237.150.204:54856 TXID=4812
217.237.150.204:27422 TXID=4607
217.237.150.204:23980 TXID=27318
217.237.150.204:19836 TXID=27501
217.237.150.204:38924 TXID=36478
ISNOM:ISNOM TXID=ISNOM
#6

Your router is just a forwarder so the actual request would come from your ISP’s nameserver anyway.

Sorry, no more ideas on this one. Maybe try setting your computer to use your ISP’s nameservers directly to see what happens?