Internal.network is not resolving hosts and ping redirected to 198.105.244.228
 

My internal.network is failing to resolve the hosts that are attached.
There are 5 static hosts and a just a couple of dynamic at this point.
The internal hosts at internal.network are all listed in the config file.
Trying to ping a host by name results in being sent to 198.105.244.228.
In the event that you are not familiar with that IP it is:

OrgName: Search Guide Inc
OrgId: SG-63
Address: 1942 Broadway
Address: Suite 319
City: Boulder
StateProv: CO
PostalCode: 80302
Country: US
RegDate: 2012-06-26
Updated: 2012-06-26

It is a known browser redirect malware operation.
That IP is no where that I can find in my configuration.
ISP is Time Warner and the router is one of their new Arris units.
I am more than a little irritated.
Is there something that you can think of that I can check in my configuration file that may point to a soulution?

Thaks in advance for any help you may provide.
Take Care

A browser exploit shouldn't be able to affect the DNS cache or name resolution mechanism on the system itself, so there has to be something more going on.

When you say this:
...what exactly do you mean? Which config file are you referring to?

Which DNS server(s) are you using? Could you post the output from these commands:Substitute one of the hostnames for "<affected hostname>".

(Feel free to sanitize the output if you don't want to reveal the exact hostnames, but please leave any IP addresses unchanged.)

I'm telling you that the internal network lookup and ping etc is being redirected to the malware site.
EVERY TIME.
I am aware it is a browser redirect.
I am also aware that it is causing problems with resolution on my internal dns.
Mobile right this second but I'll review this as soon as I get home.
In the configuration files for dns/bind and dhcp there is no reference to this IP anywhere that I see.

Thank you for your reply.
I will give you a better answer here in a little while.

Yes, I know what you said, as I did read your initial post. And it cannot be just a browser redirect if it also affects the ping command.
The results from the nslookup commands should tell you if there's a problem with the DNS server, or if it's a local problem. By the way, have you checked the hosts file?

First of all thank you very much Ser, please forgive my frustrations.

Sorry for the delay. My frustration boiled over to yell at Time Warner / Comcast. It's good that I can't get to the NOC manager. It would be ugly.

Today sometime they pushed something down that shut down my entire network and the only reason I am able to post this is because I changed everything back to THEIR DHCP.
The system was "sorta" running for a while but I came home and was gonna look at it and couldn't get out much less see anything inside UNLESS I LET THEM SUPPLY EVERYTHING.

MY complete network was down an unusable. Bizarre IP addresses that had nothing to do with my internal network at all.

THIS HAPPENED THIS AFTERNOON. SOMETHING WAS PUSHED TO THE MODEM. INTRUSIVE BASTARDS!!!!!!!!!!!!!!!!!

Below you will find the information you requested but know that I am now dynamic with Time Warner /
Comcast.

[root@wopr ~]# nslookup wopr.internal.rljnet
Server: 2605:6000:f6c9:5a00:921a:caff:fee7:3ed7
Address: 2605:6000:f6c9:5a00:921a:caff:fee7:3ed7#53

** server can't find wopr.internal.rljnet: NXDOMAIN


[root@wopr ~]# nslookup wopr.internal.rljnet 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find wopr.internal.rljnet: NXDOMAIN

and just for fun

[root@wopr ~]# nslookup rljnet.com 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

Non-authoritative answer:
Name: rljnet.com
Address: 70.114.244.156

[root@wopr ~]# nslookup rljnet.com
Server: 2605:6000:f6c9:5a00:921a:caff:fee7:3ed7
Address: 2605:6000:f6c9:5a00:921a:caff:fee7:3ed7#53

Non-authoritative answer:
Name: rljnet.com
Address: 70.114.244.156

Any ping goes to 198.105.244.228
I have IPV6 supposedly disable to try and troubleshoot However it does not appear to be the case.

DNS servers
Modem 192.168.0.1;
Time Warner 209.18.47.62;
Time Warner 209.18.47.61;
DYNDNS 208.76.58.166;
DYNDNS 208.76.58.159;
DYNDNS 208.76.58.175;
DYNDNS 208.76.58.137;

[root@wopr ~]# ifconfig
enp10s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::5246:5dff:fe66:5897 prefixlen 64 scopeid 0x20<link>
inet6 2605:6000:f6c9:5a00:5246:5dff:fe66:5897 prefixlen 64 scopeid 0x0<global>
ether 50:46:5d:66:58:97 txqueuelen 1000 (Ethernet)
RX packets 16649 bytes 12937705 (12.3 MiB)
RX errors 0 dropped 961 overruns 0 frame 0
TX packets 5714 bytes 699165 (682.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 2550 bytes 352381 (344.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2550 bytes 352381 (344.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:27:d2:c1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


vibr0 appears to be impossible to remove and it does on occasion have a IPV6 address depending on it's mood. can't seem to get rid of it and I suspect it is part of the problem.

This is apparently a Centos7 thing and is most annoying.
At one point I had like 5 plus "Automatic Ethernet" connections and at least as many bridges. NONE OF THEM SHOULD BE THERE. Bitched at Centos about it, and of course it must be on my end.

Host file
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.1 router
192.168.0.2 wopr
192.168.0.3 ngnasgb
192.168.0.4 ngnas100
192.168.0.5 wdnas
192.168.0.6 mfcj6710dw

There is no way yo can imagine my anger.
I pay these pricks for service and they can't leave me alone and just give me an IP address.

Tell me if you want the config files they are fine from what I can tell.


I wonder if ATT pulls this crap?


Anything else you would like to see?

I am going to go through the configuration from scratch one more time and look for another ISP while I'm at it.
99% sure this is their doing.

Hope Y'all are having a great day.

I am being told that it is a Time Warner site on Broadband reports.

Still tampering with a customer.

double check that /etc/resolv.conf is pointing to your internal nameserver and has a search line consistent with your internal network name.

Assuming that your internal nameserver is 192.168.0.2, use these commands to check that it is properly resolving names:

dig wopr.internal.rljnet
dig wopr.internal.rljnet @192.168.0.2
(dig is a command that is part of ISC's bind name server)

If you have machines on the internal network that are getting their configuration automatically, determine what machine is setup as a DHCP server and double check it's configuration. It may be the router, so if your ISP pushed an update, that may have set the configuration to a default that makes it the DHCP server and turns on IPv6.

I'm thinking that after talking to a guy on Brodband reports that this is a direct result of my cable modem / router and the TWC "updates".

I'm getting another router and wireless switch and should have it set up next week sometime. Tired of the intrusion and hopefully this will stop part of it. At least that is what I'm told.

The resolv.conf file is currently pointing to 192.168.0.1 which is NOT where I had it set originally. (however, at this point I did set it back to the router address 192.168.0.1 in order to have something I can use.)

I'll post something else one way or another when I get it running.

Thank you very much for your reply Mike.

Take Care


Oh Yeah. I am told that ATT is worse than TWC about this sort of thing.

So, I am glad I am not alone!!! So let me add some additional information to your (OUR) issue:
I had AT&T Uverse and did NOT have this problem. I just (2 days ago) switched out AT&T Uverse for Time Warner. Bought my own router Netgear C6300. Since the switchover I am no longer able to ping by hostname OR remote desktop or access pretty much any other computer on my small home network by name (used to work great).

I am seeing EXACTLY what you saw. When you ping by name it comes up and shows the IP [198.105.244.228] and of course never connects to the other computer.

So, it is clearly something Time Warner is doing. We have different Routers. So I also checked the Netgear firmware (I wanted to be on the latest version) and it is NOT available for download and installation. Netgear says it is controlled by "your cable provider". Of course I was having some other issues with the router so I contacted Netgear. Of course they said to contact Time Warner and have them "reload" the firmware. Of course you know by now the finger pointing has begun. The Time Warner rep on the phone was (is) oblivious. I asked for a reload and they said "go to the Netgear website and download and apply it". Yah, great, sure. So the firmware never got updated but I was able to determine the firmware is a little "flaky" and eventually got the function I needed working.

So I believe this is related to the DHCP server or DNS settings. I am testing switching over to my Synology NAS for DHCP services (to see if it controls the clients differently and allows me to control the "domain" where the netgear just assigned it to .local.

If I figure any more out I will come back and post.

Ok, so I was able to get my stuff working.

The Ping issue is tied to the DNS servers that Time Warner is using. The IPs for their DNS on my system was: 209.18.47.61 and 209.18.47.62.

Based on information I found in another forum online it was suggested to switch OFF of the Time Warner DNS. So I switched over to Google DNS and configured the ROUTER to use DNS entries: 8.8.8.8 and 8.8.4.4. Next I rebooted the router and computers. I am now able to ping by hostname AND access other computers (RDP etc) by hostname.

UGH. Glad this is over.

This is still an issue on newly installed Time Warner (Spectrum) routers
 

I was writing python code to verify I can access critical internet services required for my application to function. As part of that I was creating a test for fictitious domain names - and I was chasing my tail for a while because these bogus domain names were returning as valid. On further testing I found that my router's DNS is returning the IP address "198.105.244.228" for any bogus domain. Which a whois comes back with that search site (and a google search of that IP had me find this thread). Had me thinking my router has a malware exploit on it.... only to find out it's actually been a "feature" of these routers from Time Warner for years.

What that heck?

So.. I guess I am going to override the DNS servers on the router.

Why would time warner/spectrum do this? This seems outrageous.

They do it to take advantage of mis-typed domains, copy/paste errors and every single attempt to load an expired domain and turn it into an opportunity to deliver ads! Verisign used to do this as well as many ISPs and others... if we call it what it is we would spell it with some variation of "SPAM" in my opinion.

As I recall Verisign was sued over the practice because it returns what looks like a valid DNS response, but is not in fact what you were looking for! I think the argument was that if they cannot return the requested information or forward to an authoritative source, the protocol does not allow them to simply make something up!

On the other hand, I am sure an ISP would call it a "feature" which prevents users from otherwise reaching a dead end, and most users are probably oblivious to it anyway. Just change your DNS settings and move along...