any domain name get resolves to c17-ss-2-lb.cnet.com

pradi_net · 12-07-2006, 01:13 AM

I have a redhat linux 8.0 box with me. I am pointing to my service porvider DNS server. All of a sudden my firefox browser started displaying "404 page not found error" for all websites. It lasts for sometime and disappears. This happens frequently. When I did nslookup the result was perfect but ping to any domain resolves to "c17-ss-2-lb.cnet.com". How can I trace the problem?

HERE IS PING OUTPUT WHEN THE PROBLEM OCCURS.
ping www.yahoo.com
PING c17-ss-2-lb.cnet.com (216.239.113.148) 56(84) bytes of data.
64 bytes from c17-ss-2-lb.cnet.com (216.239.113.148): icmp_seq=0 ttl=239 time=325 ms
64 bytes from c17-ss-2-lb.cnet.com (216.239.113.148): icmp_seq=1 ttl=239 time=322 ms

osvaldomarques · 12-07-2006, 09:04 AM

Hi pradi_net,

You can use traceroute to see what is the route for any domain you want to go. For example,

Code:

# traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.179.104
traceroute to www.google.com (64.233.179.104), 30 hops max, 38 byte packets
 1  * * *
 2  Se5-0-5-0.BOT-RJ-ROTD-01.telemar.net.br (200.222.119.117)  8.882 ms  8.798 ms  7.808 ms
 3  200.223.254.121 (200.223.254.121)  45.237 ms  9.417 ms  8.227 ms
 4  SO-1-1-0-NYC-US-ROTB-01.telemar.net.br (200.223.131.69)  130.668 ms  130.621 ms  130.639 ms
 5  1-0.GigabitEthernet.GW12.NYC1.ALTER.NET (208.192.183.249)  134.173 ms  131.041 ms GigabitEthernet5-0.GW12.NYC1.ALTER.NET (208.192.183.153)  110.342 ms
 6  0.so-1-3-0.XL1.NYC1.ALTER.NET (152.63.29.194)  131.228 ms  130.721 ms  157.604 ms
 7  0.so-6-1-1.XL3.NYC4.ALTER.NET (152.63.21.22)  130.857 ms  134.916 ms  134.355 ms
 8  0.ge-4-0-0.BR2.NYC4.ALTER.NET (152.63.3.110)  131.126 ms *  111.139 ms
 9  if-7-2.core1.NTO-NewYork.teleglobe.net (216.6.82.9)  111.356 ms  111.222 ms  111.530 ms
10  216.6.97.13 (216.6.97.13)  131.489 ms  132.873 ms  130.437 ms
11  if-1-0-0.core3.AEQ-Ashburn.teleglobe.net (216.6.51.5)  141.920 ms  137.861 ms  117.577 ms
12  * * *
13  209.85.130.14 (209.85.130.14)  126.813 ms 209.85.130.18 (209.85.130.18)  126.966 ms 209.85.130.16 (209.85.130.16)  126.755 ms
14  72.14.238.136 (72.14.238.136)  126.348 ms 72.14.238.97 (72.14.238.97)  125.730 ms  126.082 ms
15  72.14.239.17 (72.14.239.17)  135.830 ms 72.14.238.157 (72.14.238.157)  140.692 ms  126.546 ms
16  72.14.238.182 (72.14.238.182)  129.137 ms  129.528 ms  129.522 ms
17  hs-in-f104.google.com (64.233.179.104)  127.345 ms  126.759 ms  126.114 ms

You will see all the hosts your message goes through until it finds the desired one. Some hosts does not respond to traceroute and will timeout; you will see it as "12 * * *"

The problem you report may be an attack to your ISP DNS Server. You may try to change the servers you use, as your ISP gives you at least two servers. Generally, depending on your distribution and the type of connection, these addresses may be on the files "/etc/resolv.conf" or "/etc/ppp/resolv.conf".

Don't forget to restart firefox after any change as it reads its dns servers on startup.

chort · 12-07-2006, 10:57 AM

If nslookup works fine, but other tools are not getting the right information, it's possible that your /etc/hosts file has been tampered with. Examine /etc/hosts to make sure it doesn't have any strange entries (it should only be 127.0.0.1, ::1, and your IP address).

It could also be an active DNS poisoning attack. Red Hat 8 is ancient and likely has a very old version of BIND that could be vulerable to all kinds of evil things. You should really upgrade your OS and install something more modern.