Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Odd DNS Resolution for Google via OpenDNS SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Odd DNS Resolution for Google via OpenDNS

We had a report from one of our readers (Deoscoidy) from Puerto Rico had issues reading Google earlier today. Instead of being directed to Google, he got redirected to an error page hosted with the free web service provider atspace.com. Pages like this are known to be used for malware. Shortly after he reported it, the problem fixed itself for him. I have only been able to reproduce part of the problem so far.

He found out that the redirect was in part due to the name resolution done by OpenDNS. It looks like as an OpenDNS user you receive a different response for "www.google.com" vs. resolving it directly:

With OpenDNS (dig @208.67.222.222 www.google.com)

;; ANSWER SECTION:
www.google.com.        30    IN    CNAME    google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN    A    208.69.32.231
google.navigation.opendns.com. 30 IN    A    208.69.32.230

Without OpenDNS (dig www.google.com)

;; ANSWER SECTION:
www.google.com.        336708    IN    CNAME    www.l.google.com.
www.l.google.com.    148    IN    A    74.125.93.104
www.l.google.com.    148    IN    A    74.125.93.147
www.l.google.com.    148    IN    A    74.125.93.99
www.l.google.com.    148    IN    A    74.125.93.103

 

208.69.32.0/21 is owned by OpenDNS. So the information returned by OpenDNS is not necessarily malicious, and may just be part of Googles intricate load balancing scheme (you will likely get very different IP addresses if you run the second query).

The response returned from these servers looks like an authentic response from Google. However, maybe some of the country level redirection had been broken earlier. Right now, everything seems to be fine. If you experience similar issues, please let us know.

Update

Chris and Nicholas confirm that OpenDNS has been doing this "MiM" on Google for a while now. A user may disable this "feature", but will lose the malware protection provided by OpenDNS as a result.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute     Twitter: johullrich

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler
The redirection to a page at 'atspace.com' does sound fishy, possibly some type of problem with their proxy.

However, the fake Google DNS records and 'OpenDNS proxy' are a well-documented part of the OpenDNS service, since 2007, see:
http://www.opendns.com/support/article/244
http://blog.opendns.com/2007/05/22/opendns-proxy-faq
Mysid

146 Posts
It appears that the redirection for the www.google.com.pr site was caused by an attack to the .pr TLD. There is an article in CNET that talks about this:
Puerto Rico sites redirected in DNS attack
news.cnet.com/8301-1009_3-10228436-83.html
Mysid
1 Posts

Sign Up for Free or Log In to start participating in the conversation!