Welcome Guest ( Log In | Register )

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

 TM Hijacking DNS and injecting ads!

views
     
soonwai
post Sep 13 2018, 03:04 AM


********
All Stars
11,456 posts

Joined: Oct 2007
From: KL
QUOTE(Drewkk @ Sep 13 2018, 02:47 AM)
I noticed today that unresolved domains and 404 errors on websites without SSL/TLS are getting hijacked by ads!!!!

https://imgur.com/a/6FDuBgc

WTH?

The site behind the ads is http://www.zygy.com which boasts TM as a customer.
*
LOL, you're right. Every DNS query to 1.9.1.9 for a non-existent domain returns 202.71.99.195.

Never noticed it as I wasn't using TM's DNS. Good find.
soonwai
post Sep 30 2018, 09:05 PM


********
All Stars
11,456 posts

Joined: Oct 2007
From: KL
I made a report of this to Unifi via live chat and email. Ticket is still open. Let's see what happens.

Basically I reported TM's DNS 1.9.1.9 is returning an IP address instead of NXDOMAIN for a non-existent domain. The examples that I used to illustrate the problem to TM are:

For a domain that exists with 1.9.1.9.
CODE
mbpr:~ $ dig @1.9.1.9 fuckyou.com
; <<>> DiG 9.12.2-P2 <<>> @1.9.1.9 fuckyou.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11643
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fuckyou.com.   IN A

;; ANSWER SECTION:
fuckyou.com.  62485 IN A 208.236.11.179


For a domain that doesn't exist with 1.9.1.9.
CODE
mbpr:~$ dig @1.9.1.9 wheresmymotherfuckingturboupgrade.com

; <<>> DiG 9.12.2-P2 <<>> @1.9.1.9 wheresmymotherfuckingturboupgrade.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wheresmymotherfuckingturboupgrade.com. IN A

;; ANSWER SECTION:
wheresmymotherfuckingturboupgrade.com. 0 IN A 202.71.99.195


For a domain that doesn't exist with 1.1.1.1.
CODE
mbpr:~$ dig @1.1.1.1 wheresmymotherfuckingturboupgrade.com


; <<>> DiG 9.12.2-P2 <<>> @1.1.1.1 wheresmymotherfuckingturboupgrade.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53011
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;wheresmymotherfuckingturboupgrade.com. IN A

;; AUTHORITY SECTION:
com.   900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1538312681 1800 900 604800 86400


Update: 1/10
TM technician called. Want to come over to check because I have problem browsing to website. Told him that my problem is I am able to browse to website when, by right, I shouldn't be able to. Confusion arises after this. Told him that he can check this wherever he is as long as he's using TM's DNS eg: 1.9.1.9. Just don't come here and charge me RM53.

This post has been edited by soonwai: Oct 1 2018, 04:52 PM
soonwai
post Oct 9 2019, 11:42 AM


********
All Stars
11,456 posts

Joined: Oct 2007
From: KL
QUOTE(junclj @ Oct 9 2019, 08:23 AM)
Why I get this? I'm using Unifi too.

[attachmentid=10330083]
*
No such domain. I'm getting the same here with Google's DNS and 1.1.1.1.
« Next Oldest · Networks and Broadband · Next Newest »
 

Add ReplyOptions
 

Change to:
| Lo-Fi Version
 0.2347sec    0.75    7 queries    GZIP Disabled
Time is now: 5th December 2025 - 12:36 PM
All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)
Removal Request
Powered by Invision Power Board © 2025  IPS, Inc.