Please have a look at this screenshot. http://i.imgur.com/0rqCt.png?1 I am wondering why a local netbios query would result in a outside Colorado based IP being returned. Thanks, Pluribus asked 03 Jun '12, 12:54  pluribus |
One Answer:
That's down to the name resolution done by IP 192.168.1.1, possibly your router. The two A records returned are 69.16.143.110 and 184.106.15.239 and neither of them seem to have much to do with the name "WORKGOUP" which comes from the default workgroup for a non-domain windows machine. Wireshark shows the subsequent SYN requests with destination "WORKGROUP" due to the A records returned by the preceding DNS queries populating the name cache. Edit The IP addresses returned from the query are due to the user's ISP hijacking dns queries for unknown hosts. TimeWarner / RoadRunner dumbness. answered 03 Jun '12, 13:47  grahamb ♦ edited 04 Jun '12, 01:47 showing 5 of 8 show 3 more comments |
Thanks for the rapid reply. I am not sure I understood fully.
In a nutshell are you saying the events are not related to a lookup for "workgroup?"
Is this normal behavior that I am just not grasping?
Also when i do a
ping workgroup PING workgroup (69.16.143.110) 56(84) bytes of data.
why would my DNS server resolve the word "workgroup" to anything? I am confused.
I just got it, this is part of my ISP advertising, all unknown names return this landing page at 69.16.143.110.
Ok one mystery solved, time to edit resolv.conf to something a little better like 8.8.8.8
Looks a little odd to me, why is your dns resolver returning those A records? Does the machine at 192.168.1.1 run a full dns resolver or is it just forwarding queries?
192.168.1.1 is a wireless router. If you navigate the the IP it is sort of like an ad for the ISP. So, if I ping anything at all with no TLD it will resolve to that IP. It is odd imo too, the 192.168.1.1 has no DNS server enabled on it. When I changed /etc/resolv.conf to read 8.8.8.8 instead of localhost the issue went away. Now when i "ping workgroup" i get the message "unknown host."
If any behavior seems odd please let me know what tests I can run because I have def been having strange expriences on the network lately including a lot of BAD TCP traffic and some other alarming traffic.
That'll be an ISP "enhancement" then, that instead of returning "unknown host" as required, they instead return the IP address of a landing page to throw advertising at you.
Searching for "DNS landing page" will get you many similar complaints. What is your ISP?
timewarner / roadrunner
btw to test it, i changed my router's DNS servers to opendns and google.
now when i ping workgroup I get this
PING workgroup (67.215.65.132) 56(84) bytes of data. 64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=1 ttl=51 time=15.7 ms 64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=2 ttl=51 time=15.0 ms
That IP is another landing page, if you pop it into your browser, same idea. "Enhancement" , not unlike the rootkit enhancement know as computrace that has been put on millions of computers sold by HP. Dell. Lenovo, etc. All infected with a lojack device from Absolute Software that can be turned into a trojan by an attacker. Gotta love the manufactured consent of all these wonderful enchancement.
Thanks to wireshark I am finding and eliminating all these enhancements one at a time.
those "enhancements" are a key feature of opendns. They try to filter your DNS requests for typos, malware sites and other things. Based on the result they will return an IP address of a landing page (malware, unknown host, etc.) or the right web site (typo). It's kind of a managed, enhanced DNS. Some people love it, some hate it ;-) However, the behaviour of your ISP is plain dumb. Resolving a single host query (not a FQDN) to an external landing page is a really bad idea and calls for trouble.