cancel
Showing results for 
Search instead for 
Did you mean: 

DNS mystery

sotar
Grafter
Posts: 38
Registered: ‎31-07-2007

DNS mystery

Hi there
During a routine check of my router logs I discovered that the DNS IP assigned to my ADSL profile had changed to 168.95.1.1. Looking at the event log I see that line disconnected at about 1am this morning and a few times between 3am and 4am.

On resetting manually the connection has returned to 212.159.6.9 as expected.
As the ADSL profile is set to automatically pick up the DNS from PlusNet when it connects can someone please explain how I was assigned this address.
Regards


8 REPLIES 8
adamwalker
Plusnet Help Team
Plusnet Help Team
Posts: 16,871
Thanks: 882
Fixes: 221
Registered: ‎27-04-2007

Re: DNS mystery

168.95.1.1. is dns.hinet.net. Hinet is a far eastern webmail service and google searches seem to indicate that it's heavily linked to spamming.
Quote
can someone please explain how I was assigned this address.

I can't directly but without wanting to cause alarm but bearing in mind what I've mentioned about spam I'd advise running checks for virii, adware and malware.
If this post resolved your issue please click the 'This fixed my problem' button
 Adam Walker
 Plusnet Help Team
Oldjim
Resting Legend
Posts: 38,460
Thanks: 787
Fixes: 63
Registered: ‎15-06-2007

Re: DNS mystery

Silly question - how can a virus/trojan/etc. on the computer affect the router DNS server which it gets automatically from the connection and the change appeared to happen at 1.00am
I ask having spotted this http://www.draytek.com/.upload/Demo/Vigor2910_v3.2.5.1/
RichardB
Seasoned Champion
Posts: 1,038
Thanks: 385
Fixes: 39
Registered: ‎19-11-2008

Re: DNS mystery

Oldjim
There is some malware which logs into routers via the web interface & changes the DNS settings.
see http://en.wikipedia.org/wiki/Zlob_trojan
It is recommended that router passwords are not left as the manufacturers defaults.
Richard
sotar
Grafter
Posts: 38
Registered: ‎31-07-2007

Re: DNS mystery

Adam:
Yes, I too did a search on the IP and found similar information to you and being somewhat concerned posted the query to see if anyone else had experienced anything like this.
Jim:
I use a Billion 7402X router/modem. It's 1 month old and as far as I recall didn't come with any default DNS IP settings. They had to be applied when I created my ADSL profile connect to PlusNet.
I can't confirm the exact date time of the change, but the router's ADSL profile is set to automatically retrieve the DNS IPs from the ISP every time the router re-establishes a connection - at least that is my experience of it.

I use a number of computers running MAC OSX, Windows XP, Windows 7 & also have a Humax PVR with internet access. I am pretty certain I don't have a trojan/virus on any of them but I can try and check. Even if I did it would need to be quite sophisticated to get hold of the router's login credentials identify the type of router and apply the appropriate settings to the ADSL profile.
Also applying changes to the settings causes the router to re-establish a connection. When I checked the ADSL profile the 'Obtain DNS' option was flagged as 'automatic' (ie. Fetch from ISP), which would have overridden any manual settings.
So still a mystery. If I turn up anything I will keep you posted. Meanwhile any suggestions would be gratefully received.
Regards
Anonymous
Not applicable

Re: DNS mystery

If it were mine, I would manually set the DNS values to 'OpenDNS' and 'Norton DNS', as both are consistently significantly faster than Plusnet's DNS.
Hopefully using DNS manual settings should avoid the gateway picking up anything unexpected.
sotar
Grafter
Posts: 38
Registered: ‎31-07-2007

Re: DNS mystery

Hello again
Following advice from Adam, and link provided by RichardB, yesterday I did a full virus scan on my MacOSX PCs (using Avast) and a full scan of my Windows PCs (using Windows Security Essentials and Sophos). They all returned a clean bill of health.
This left my Humax freeview box and NAS boxes as only other sources of malware, all Linux based machines. I have no idea how to go about testing the HUMAX device. Of the NAS boxes, one connects only to PlusNet's mail servers to download/send emails, the other switches itself on briefly every evening purely to take a backup of the first one and then switches itself off. For any of these to be the source of malware either:
1) Something penetrated the routers NAT firewall, somehow, managed to obtain admin login credentials and plant software to alter the router settings.
2) Something was downloaded onto one of the PCs that then, somehow, managed to obtain admin login credentials to one of these devices and plant software on them that then went on the alter the router settings.
This seems unlikely and in any event they can be ruled out of contention for the source of the malware by the following.
Last night just before going to bed all PCs were switched off, as were the NAS boxes and the HUMAX box. I then used one of my PCs  to check the ADSL profile on the router. It showed me the DNS IPs were 212.159.6.9 and 212.159.6.10
First thing this morning I power up a PC and the first thing I check is the routers ADSL profile (see attached screentshot ADSLbefore.jpg).
The DNS IPs are set to 168.95.1.1 and 168.95.192.1 . You will also note the  'Obtain DNS Automatic' flag is ticked.
From the ADSL profile screen I clicked the Edit/Delete button to apply changes. As mentioned previously as part of this process the router re-establishes a connection. As a result the DNS IPs are now reset to 212.159.6.9 and 212.159.6.10 (see attached screenshot ADSLafter.jpg).
So at some point during the night when ALL network PCs and devices were switched off the DNS IPs were changed. According to the router's event log the only thing to occur in that time was a disconnect/connect event (see attached screenshot Eventlog.jpg - note time is GMT).
I am left with three conclusions:
1) There is some malware on the PC I am using this morning (the only device on the network) that wasn't detected by the virus scan.
This is a possibility, however I don't see how any malware could 'manually' set DNS IPs on the router and then have them applied while leaving the 'Obtain DNS automatic' flag set. As stated before the act of applying changes re-establishes a connection and that flag would/should ensure the router overrides any manual settings (as demonstrated above).
On the point of re-establishing a connection when changing the ADSL profile. There is nothing in the event log to say a connection was re-established this morning after I had started my PC. So either the malware can change DNS values without this action occurring, or it can delete records from the event log.
2) Somehow the router itself is compromised.
Seems unlikely but it is a possibility and I will be posting a similar thread to this on the Billion forum to see if rings any bells with anyone.
3) The router, when re-establishing a connection overnight, was issued spurious DNS IPs.
I have no detailed knowledge of the processes and communications involved in automatically establishing DNS IPs. I assume some sort of request must be made to a PlusNet server. Perhaps someone at PlusNet could offer advise.
@purleigh - The problem I have at the moment is - if I have some malware that is changing the DNS then it is simply going to overwrite whatever I values I apply. Alternatively, if the router is being supplied unexpected addresses when it connects then it would imply that the server doing the supplying is compromised; not a reassuring thought.
@Richardb - Checked out the link you supplied, thanks. Just to confirm the router's admin password is NOT the default.
I will continue checking using different PCs in combination with the router configured with both manual/automatic DNS values. If anyone has any other suggestions then do let me know.
Regards
JEB
Grafter
Posts: 262
Registered: ‎01-09-2007

Re: DNS mystery

The following looks to be relevant.  This is for a different model but I expect the same is true for all of Billion's routers:
http://au.billion.com/downloads/7800nv_gz1.06d.pdf
Quote
Change the system’s default DNS setting from TWN (168.95.1.1) to google (8.8.8.8 and 8.8.4.4)

I would guess what is happening is when your connection drops the router is defaulting to it's built in default, rather than using the DNS servers supplied by Plus.  I would check if there is a firmware update available.

James
sotar
Grafter
Posts: 38
Registered: ‎31-07-2007

Re: DNS mystery

James thanks for that.
I am guessing then that IP address is some internal firmware setting that isn't changeable or even viewable to me. At least I can't find it on any configuration page and a backup of the router configuration didn't reveal it anywhere.
The router is already on the latest firmware so nothing I can do there.
So my plan for now is to switch off the the 'Obtain DNS Automatic' option in the ADSL profile (i.e. Use manually entered DNS IP addresses) and see how we go.
Thanks again everyone for your input.