The other day, I logged on to my home network and entered gmail.google.com from Firefox. Imagine my surprise when I got a “landing” page with a bunch of URLs, rather than the usual spartan GMail page.
One terrifying thought followed the other. Was my machine infected? Was my WiFi router compromised? Maybe the ASDL modem? Worse, how long had it gone unnoticed?
Ok, time to take a deep breath and start isolating the problem, I figured.
I logged on from an alternate machine and found it worked fine there. I did a nslookup from the command prompt on my machine on gmail.google.com, and got back an IP address in the Google domain.
DNS request timed out.
timeout was 2 seconds.
Maybe some browser extension was causing the problem? To isolate that, I tried navigating to the same URL from Chrome and IE. No luck there – I was still getting the wrong page.
Must be some kind of virus then, I figured. I wanted to see the IP address the browser was navigating to, so I fired up Wireshark and watched the traffic. Not surprisingly, I found this
42 11.621942 192.168.1.100 18.104.22.168 DNS Standard query A gmail.google.com
43 11.659343 22.214.171.124 192.168.1.100 DNS Standard query response A 126.96.36.199
The IP address in the response (188.8.131.52) ,when run through a reverse lookup, resolved to a domain name that definitely wasn’t Google’s – the name suggested some kind of ad network. But wait, where did the IP address come from? 184.108.40.206. That was the DNS server the request was sent to, and as the Wireshark log shows, it obviously responded with the wrong IP address for the domain name.
Ok, so my browser was sending a request to a hacked DNS server, and that was why I was getting the wrong page. But where did 220.127.116.11 (the DNS server) come from? And why does nslookup use a different DNS server (18.104.22.168)? Time to check the wireless router/ADSL modem then, I thought.
And sure enough, this is what I found in the status page.
DNS 1: 22.214.171.124
DNS 2: 126.96.36.199
Was my router compromised to use a spiked DNS server? A reverse DNS lookup on 188.8.131.52 showed that it was in fact in the same domain as my ISP (BSNL/Sancharnet). So no, it wasn’t my router – BSNL was giving me the two IP addresses, and the second one, which my browser had used, was poisoned to return wrong IP addresses for requests for the gmail.google.com domain name.
This was the first time I’d encountered DNS cache poisoning, and it is easy to see how dangerous it can be. SSL of course would save the day for secure websites – the fake website won’t be able to produce a valid certificate claiming to be the original website. But what about the millions of websites without a certificate? And how many internet users actually know about https versus http?
Terrifying, ain’t it?
I fixed the problem by forcing my router to use Google’s DNS servers rather than BSNL’s. Rather ironic, considering the trigger was incorrect lookup of one of Google’s own subdomains.