Time and Maxis started to hijack dns query

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

12 Pages < 1 2 3 4 5 > » Bottom

Outline · [ Standard ] · Linear+

Time and Maxis started to hijack dns query

views

haya	Aug 13 2024, 05:19 PM Show posts by this member only \| IPv6 \| Post #41
Sarawakian first! Senior Member 2,067 posts Joined: Jan 2003	QUOTE(kwss @ Aug 13 2024, 04:53 PM) From my testing with Celcom (AS10030), all DNS is hijacked, including microsoft.com, lowyat.net, etc. They all resolved via some non-routable IP address. So something like: CODE googie-anaiytics.com Which is blocked by Quad9: CODE ; <<>> DiG 9 <<>> @9.9.9.9 googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37724 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; Query time: 10 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Tue Aug 13 09:19:15 2024 ;; MSG SIZE rcvd: 38 But resolveable: CODE ; <<>> DiG 9 <<>> @localhost googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5580 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; ANSWER SECTION: googie-anaiytics.com. 600 IN A 3.33.130.190 googie-anaiytics.com. 600 IN A 15.197.148.33 ;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 13 09:16:24 2024 ;; MSG SIZE rcvd: 70 With AS10030 hijacking all DNS53 packets, does it resolve googie-anaiytics.com, if the DNS query is pointed to 9.9.9.9
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 13 2024, 07:55 PM Show posts by this member only \| Post #42
Casual Junior Member 364 posts Joined: May 2019	I use quad9 DoH and DoT on adguard. Just now it stopped working, sites fail to resolve. I see a bunch of timeout in the logs using 443. After removing DoH, it started working again. Adding back DoH did not break it. Checking on ipleak, Global Transit (TIME) shows up for ipv4 while Woodynet(Quad9) shows up for ipv6. Something is not right
Card PM	Report Top Like Quote Reply

QuantumEdge	Aug 13 2024, 07:57 PM Show posts by this member only \| IPv6 \| Post #43
Regular Senior Member 1,592 posts Joined: Jan 2016	QUOTE(ChenKaiWen @ Aug 13 2024, 07:55 PM) I use quad9 DoH and DoT on adguard. Just now it stopped working, sites fail to resolve. I see a bunch of timeout in the logs using 443. After removing DoH, it started working again. Adding back DoH did not break it. Checking on ipleak, Global Transit (TIME) shows up for ipv4 while Woodynet(Quad9) shows up for ipv6. Something is not right Are you a time user? I'm having issues now, all sites are slow as heck On Adguard DoT
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 13 2024, 07:59 PM Show posts by this member only \| IPv6 \| Post #44
Casual Junior Member 364 posts Joined: May 2019	QUOTE(QuantumEdge @ Aug 13 2024, 07:57 PM) Are you a time user? I'm having issues now, all sites are slow as heck On Adguard DoT Yes. Most of the devices can’t resolve, only a few can. This post has been edited by ChenKaiWen: Aug 13 2024, 08:00 PM
Card PM	Report Top Like Quote Reply

nazq	Aug 13 2024, 08:01 PM Show posts by this member only \| IPv6 \| Post #45
dead inside Senior Member 1,180 posts Joined: Jun 2010 From: Chickentown	AdGuard had been hijacked as well? Suddenly stopped working for me an hour ago, for both Maxis & Unifi
Card PM	Report Top Like Quote Reply

QuantumEdge	Aug 13 2024, 08:03 PM Show posts by this member only \| IPv6 \| Post #46
Regular Senior Member 1,592 posts Joined: Jan 2016	QUOTE(nazq @ Aug 13 2024, 08:01 PM) AdGuard had been hijacked as well? Suddenly stopped working for me an hour ago, for both Maxis & Unifi TIME and Maxis user here, facing similar issues I think it started since 2~3PM today, I felt the network getting slower all of a sudden
Card PM	Report Top Like Quote Reply

nazq	Aug 13 2024, 08:06 PM Show posts by this member only \| IPv6 \| Post #47
dead inside Senior Member 1,180 posts Joined: Jun 2010 From: Chickentown	QUOTE(QuantumEdge @ Aug 13 2024, 08:03 PM) TIME and Maxis user here, facing similar issues I think it started since 2~3PM today, I felt the network getting slower all of a sudden Network abruptly stopped in my case, around 7 pm here in the midst of browsing. Very slow, then showing failed DNS probe on Chrome.
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 13 2024, 08:07 PM Show posts by this member only \| IPv6 \| Post #48
Casual Junior Member 364 posts Joined: May 2019	QUOTE(nazq @ Aug 13 2024, 08:06 PM) Network abruptly stopped in my case, around 7 pm here in the midst of browsing. Very slow, then showing failed DNS probe on Chrome. Same here. Around 7, suddenly stopped working. Bunch of connection timeout for 443 in adguard. I have parallel request, no idea why it didn’t fall back on TLS instead.
Card PM	Report Top Like Quote Reply

PRSXFENG	Aug 13 2024, 08:14 PM Show posts by this member only \| IPv6 \| Post #49
Look at all my stars!! Senior Member 2,607 posts Joined: Nov 2020	QUOTE(ChenKaiWen @ Aug 13 2024, 07:55 PM) I use quad9 DoH and DoT on adguard. Just now it stopped working, sites fail to resolve. I see a bunch of timeout in the logs using 443. After removing DoH, it started working again. Adding back DoH did not break it. Checking on ipleak, Global Transit (TIME) shows up for ipv4 while Woodynet(Quad9) shows up for ipv6. Something is not right Hey uhh, that was me who was responsible for that Global Transit is one of the host for Quad9's Presence in Malaysia They are related to time, but they are neutral, they're just the host you can confirm this by connecting to Quad9 on other ISPs like Maxis and see that your DNS goes to them as well I noticed that TM and TIME don't send to Quad9 KUL, and route to SIN which has a slightly higher latency Now, TM refuses to peer with them But TIME is supposed to when I asked Quad9 Quad9 said they'll check with TIME so, seems like TIME fixed that, and you get lower latency But uhh, no issues detected on my side, but I use DNSCrypt protocol you can confirm it's not a hijack with https://docs.quad9.net/FAQs/#detecting-dns-...rection-hijacks This post has been edited by PRSXFENG: Aug 13 2024, 08:28 PM
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 13 2024, 08:26 PM Show posts by this member only \| IPv6 \| Post #50
Casual Junior Member 364 posts Joined: May 2019	Thanks for informing. Did a trace route on ipv6, seems to go to Singapore still, ipv4 goes to myix
Card PM	Report Top Like Quote Reply

tgeoklin	Aug 13 2024, 08:33 PM Show posts by this member only \| Post #51
Regular Senior Member 1,230 posts Joined: Sep 2008	Just use VPN, no issues lieu 😇
Card PM	Report Top Like Quote Reply

PRSXFENG	Aug 13 2024, 08:45 PM Show posts by this member only \| IPv6 \| Post #52
Look at all my stars!! Senior Member 2,607 posts Joined: Nov 2020	QUOTE(ChenKaiWen @ Aug 13 2024, 08:26 PM) Thanks for informing. Did a trace route on ipv6, seems to go to Singapore still, ipv4 goes to myix Maybe the server only has ipv4 connectivity I check with https://www.dnscheck.tools/ and notice IPv4 MY - Global Transit IPv4 SG - WoodyNet IPv6 MY - WoodyNet IPv4 SG - WoodyNet Quad9 does have a total of 3 MY locations and 2 SG locations (Don't trust the map 100%, at one point in time they listed Johor's country as Singapore , and they say they don't update it that often ) My guess is MyIX KUL would be TIME's Global Transit and the DE-CIX KL is the PCH/WoodyNet one? DE-CIX does peer with PCH/WoodyNet
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 13 2024, 08:50 PM Show posts by this member only \| IPv6 \| Post #53
Casual Junior Member 364 posts Joined: May 2019	QUOTE(PRSXFENG @ Aug 13 2024, 08:45 PM) Maybe the server only has ipv4 connectivity I check with https://www.dnscheck.tools/ and notice IPv4 MY - Global Transit IPv4 SG - WoodyNet IPv6 MY - WoodyNet IPv4 SG - WoodyNet Quad9 does have a total of 3 MY locations and 2 SG locations (Don't trust the map 100%, at one point in time they listed Johor's country as Singapore , and they say they don't update it that often ) My guess is MyIX KUL would be TIME's Global Transit and the DE-CIX KL is the PCH/WoodyNet one? DE-CIX does peer with PCH/WoodyNet seems that it is going to KUL. But traceroute 2620:fe::9 and 2620:fe::fe is going to Singapore. Seems to be all good now. PRSXFENG liked this post
Card PM	Report Top Like Quote Reply

Kadaj	Aug 13 2024, 09:51 PM Show posts by this member only \| Post #54
On my way Junior Member 584 posts Joined: Mar 2006	QUOTE(kwss @ Aug 13 2024, 04:53 PM) From my testing with Celcom (AS10030), all DNS is hijacked, including microsoft.com, lowyat.net, etc. They all resolved via some non-routable IP address. I tested with AS10030 Celcom but it doesn't implement transparent proxy DNS and doesn't block anything. You can view the reports here: 1.1.1.1: https://explorer.ooni.org/m/20240813131113....4706209241c200c 8.8.8.8: https://explorer.ooni.org/m/20240813131135....aa74995ad507bf9 9.9.9.9: https://explorer.ooni.org/m/20240813131158....27ecfbf61a2bcb0 I tested with XOX which is MVNO riding on Celcom.
Card PM	Report Top Like Quote Reply

PRSXFENG	Aug 13 2024, 10:09 PM Show posts by this member only \| IPv6 \| Post #55
Look at all my stars!! Senior Member 2,607 posts Joined: Nov 2020	QUOTE(Kadaj @ Aug 13 2024, 09:51 PM) I tested with AS10030 Celcom but it doesn't implement transparent proxy DNS and doesn't block anything. You can view the reports here: 1.1.1.1: https://explorer.ooni.org/m/20240813131113....4706209241c200c 8.8.8.8: https://explorer.ooni.org/m/20240813131135....aa74995ad507bf9 9.9.9.9: https://explorer.ooni.org/m/20240813131158....27ecfbf61a2bcb0 I tested with XOX which is MVNO riding on Celcom. Feels like they're still testing out this system and has it on and off For me, I noticed my U Mobile isn't hijacking anymore at this time Kadaj liked this post
Card PM	Report Top Like Quote Reply

kwss	Aug 13 2024, 11:42 PM Show posts by this member only \| IPv6 \| Post #56
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(haya @ Aug 13 2024, 05:19 PM) » Click to show Spoiler - click again to hide... « So something like: CODE googie-anaiytics.com Which is blocked by Quad9: CODE ; <<>> DiG 9 <<>> @9.9.9.9 googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37724 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; Query time: 10 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Tue Aug 13 09:19:15 2024 ;; MSG SIZE rcvd: 38 But resolveable: CODE ; <<>> DiG 9 <<>> @localhost googie-anaiytics.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5580 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; ANSWER SECTION: googie-anaiytics.com. 600 IN A 3.33.130.190 googie-anaiytics.com. 600 IN A 15.197.148.33 ;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 13 09:16:24 2024 ;; MSG SIZE rcvd: 70 With AS10030 hijacking all DNS53 packets, does it resolve googie-anaiytics.com, if the DNS query is pointed to 9.9.9.9 It is hijacked. CODE dig @9.9.9.9 googie-anaiytics.com ; <<>> DiG 9.18.28 <<>> @9.9.9.9 googie-anaiytics.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 736 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; ANSWER SECTION: googie-anaiytics.com. 600 IN A 15.197.148.33 googie-anaiytics.com. 600 IN A 3.33.130.190 ;; Query time: 405 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Tue Aug 13 23:39:48 +08 2024 ;; MSG SIZE rcvd: 81 Using the TXT query test method: CODE $ dig +short txt proto.on.quad9.net @9.9.9.9 (no output) $dig +short txt proto.on.quad9.net @9.9.9.9 +tcp do53-tcp. $ dig +short txt proto.on.quad9.net @9.9.9.9 +tls dot. $ dig +short txt proto.on.quad9.net @9.9.9.9 +https=/dns-query doh. $ dig +short ch txt id.server. @9.9.9.9 (no output) $ dig +short ch txt id.server. @9.9.9.9 +tcp "res100.kul.rrdns.pch.net" $ dig +short ch txt id.server. @9.9.9.9 +tls "res100.kul.rrdns.pch.net" $ dig +short ch txt id.server. @9.9.9.9 +https=/dns-query "res100.kul.rrdns.pch.net" Using traceroute, you can see !X (communication administratively prohibited) CODE $ traceroute 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 1.218 ms 1.478 ms 1.730 ms 2 * * * 3 10.223.95.65 (10.223.95.65) 72.996 ms 72.976 ms 72.966 ms 4 10.223.39.171 (10.223.39.171) 60.468 ms 10.223.39.163 (10.223.39.163) 60.453 ms 60.436 ms 5 203.82.65.113 (203.82.65.113) 72.887 ms 72.879 ms 72.944 ms 6 203.82.83.217 (203.82.83.217) 89.017 ms 203.82.83.219 (203.82.83.219) 66.107 ms 162.729 ms 7 203.82.83.34 (203.82.83.34) 199.869 ms 193.638 ms 203.82.83.32 (203.82.83.32) 199.943 ms 8 pch.myix.my (218.100.44.20) 193.591 ms 193.449 ms 193.421 ms 9 dns9.quad9.net (9.9.9.9) 193.383 ms !X 193.319 ms !X 193.282 ms !X Let's see where they start redirecting UDP 53. Looks like the very first hop: CODE # traceroute -U -p53 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 2.118 ms 2.572 ms 2.818 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * dns9.quad9.net (9.9.9.9) 72.977 ms * # traceroute -T -p53 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 4.822 ms 5.259 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * 203.82.83.219 (203.82.83.219) 54.024 ms 203.82.83.217 (203.82.83.217) 39.621 ms 7 203.82.83.34 (203.82.83.34) 59.608 ms 203.82.83.32 (203.82.83.32) 59.631 ms 59.565 ms 8 pch.myix.my (218.100.44.20) 59.553 ms 59.537 ms 59.524 ms 9 dns9.quad9.net (9.9.9.9) 65.218 ms 65.206 ms 65.193 ms # traceroute -T -p443 9.9.9.9 traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 _gateway (192.168.137.30) 1.799 ms 1.763 ms * 2 * * * 3 * * * 4 * * * 5 * * * 6 * dns9.quad9.net (9.9.9.9) 65.581 ms 65.325 ms TCP port 53 and TCP port 443 have vastly different hop count. This needs further investigation. I have done a packet capture. Looks like it is man-on-the-side attack? This post has been edited by kwss: Aug 14 2024, 01:17 AM Attached File(s) quad_https_celcom_as10030.pcapng.gz ( 8.12k ) Number of downloads: 6 haya and PRSXFENG liked this post
Card PM	Report Top Like Quote Reply

ChenKaiWen	Aug 14 2024, 06:41 AM Show posts by this member only \| IPv6 \| Post #57
Casual Junior Member 364 posts Joined: May 2019	CODE dig @9.9.9.9 googie-anaiytics.com ; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @9.9.9.9 googie-anaiytics.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32048 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;googie-anaiytics.com. IN A ;; Query time: 8 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP) ;; WHEN: Wed Aug 14 06:38:40 +08 2024 ;; MSG SIZE rcvd: 49 CODE traceroute 9.9.9.9traceroute to 9.9.9.9 (9.9.9.9), 30 hops max, 60 byte packets 1 router.lan (10.0.0.1) 0.707 ms 0.358 ms 0.319 ms 2 161.142.48.1 (161.142.48.1) 2.730 ms 2.643 ms 2.840 ms 3 * * * 4 223.28.43.70 (223.28.43.70) 6.111 ms 5.912 ms 5.746 ms 5 pch.myix.my (218.100.44.20) 7.252 ms 7.214 ms 7.310 ms 6 dns9.quad9.net (9.9.9.9) 7.389 ms !X 8.056 ms !X 7.769 ms !X Unable to resolve that domain but traceroute shows !X haya liked this post
Card PM	Report Top Like Quote Reply

PRSXFENG	Aug 14 2024, 07:46 AM Show posts by this member only \| IPv6 \| Post #58
Look at all my stars!! Senior Member 2,607 posts Joined: Nov 2020	QUOTE(ChenKaiWen @ Aug 14 2024, 06:41 AM) SNIP Unable to resolve that domain but traceroute shows !X Might just be some firewall config on Quad9's side? Based on this forum post https://www.linuxquestions.org/questions/li...ine-4175635996/ ChenKaiWen liked this post
Card PM	Report Top Like Quote Reply

BladeRider88	Aug 14 2024, 03:58 PM Show posts by this member only \| Post #59
On my way Junior Member 554 posts Joined: Nov 2006	QUOTE(nazq @ Aug 13 2024, 08:06 PM) Network abruptly stopped in my case, around 7 pm here in the midst of browsing. Very slow, then showing failed DNS probe on Chrome. Yesterday Adguard having some routing issue https://status.adguard.com/incidents/2zb98nsz83vv nazq liked this post
Card PM	Report Top Like Quote Reply

SUSpetpenyubobo	Aug 14 2024, 08:08 PM Show posts by this member only \| IPv6 \| Post #60
Regular Senior Member 1,030 posts Joined: Jan 2022	QUOTE(BladeRider88 @ Aug 14 2024, 03:58 PM) Yesterday Adguard having some routing issue https://status.adguard.com/incidents/2zb98nsz83vv You should understand why when a DNS server who is now catching up as the popular choice for blocking ad trackers now suddenly experience higher downtimes. Same goes to DuckDuckGo search engine, after people started making the switch from Uncle G, it started to go out of service very often. I'm not blaming others, but their competitors don't really like them stealing away their revenues/monopoly.
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

12 Pages < 1 2 3 4 5 > » Top

Add Reply Options

Change to:

0.0298sec

0.97

6 queries

GZIP Disabled
Time is now: 1st December 2025 - 03:25 AM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.