When gmail.google.com didn’t actually go to GMail

The other day, I logged on to my home network and entered gmail.google.com from Firefox. Imagine my surprise when I got a “landing” page with a bunch of URLs, rather than the usual spartan GMail page.

One terrifying thought followed the other. Was my machine infected? Was my WiFi router compromised? Maybe the ASDL modem? Worse, how long had it gone unnoticed?

Ok, time to take a deep breath and start isolating the problem, I figured.

I logged on from an alternate machine and found it worked fine there. I did a nslookup from the command prompt on my machine on gmail.google.com, and got back an IP address in the Google domain.

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 218.248.241.5

Name: www3.l.google.com
Address: 209.85.231.100
Aliases: gmail.google.com



Maybe some browser extension was causing the problem? To isolate that, I tried navigating to the same URL from Chrome and IE. No luck there – I was still getting the wrong page.



Must be some kind of virus then, I figured. I wanted to see the IP address the browser was navigating to, so I fired up Wireshark and watched the traffic. Not surprisingly, I found this



42    11.621942    192.168.1.100    61.1.96.69    DNS    Standard query A gmail.google.com
43 11.659343 61.1.96.69 192.168.1.100 DNS Standard query response A 64.95.64.197





The IP address in the response (64.95.64.197) ,when run through a reverse lookup, resolved to a domain name that definitely wasn’t Google’s – the name suggested some kind of ad network. But wait, where did the IP address come from? 61.1.96.69. That was the DNS server the request was sent to, and as the Wireshark log shows, it obviously responded with the wrong IP address for the domain name.



Ok, so my browser was sending a request to a hacked DNS server, and that was why I was getting the wrong page. But where did 61.1.96.69 (the DNS server) come from? And why does nslookup use a different DNS server (218.248.241.5)? Time to check the wireless router/ADSL modem then, I thought.



And sure enough, this is what I found in the status page.



DNS 1:     218.248.241.5              
DNS 2: 61.1.96.69





Was my router compromised to use a spiked DNS server? A reverse DNS lookup on 61.1.96.69 showed that it was in fact in the same domain as my ISP (BSNL/Sancharnet). So no, it wasn’t my router – BSNL was giving me the two IP addresses, and the second one, which my browser had used, was poisoned to return wrong IP addresses for requests for the gmail.google.com domain name.



This was the first time I’d encountered DNS cache poisoning, and it is easy to see how dangerous it can be. SSL of course would save the day for secure websites – the fake website won’t be able to produce a valid certificate claiming to be the original website. But what about the millions of websites without a certificate? And how many internet users actually know about https versus http?



Terrifying, ain’t it?



I fixed the problem by forcing my router to use Google’s DNS servers rather than BSNL’s. Rather ironic, considering the trigger was incorrect lookup of one of Google’s own subdomains.

3 thoughts on “When gmail.google.com didn’t actually go to GMail”

  1. BSNL is pathetic against DNS Cache Poisoning. This is the 4th report I’m hearing about DNS poisoning on BSNL. And it’s even more terrible, they haven’t fixed it yet (the last time I heard about this was 2 months ago).

    Moving onto Google’s DNS is the safe option; might be slower than ISP’s DNS, but safe enough to forgo speed.

  2. I initially thought of filing a complaint, but then I figured I’ll never be able to explain all this over the phone to the call center guy – he’ll probably ask me to change the modem :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>