Is my dns hijacked or whats going on?

BlueSparrow · 23 Apr 2017

Hi I am on a local network 172.16.0.0/24 and have several computers on it working excellent. Among others this one I am writing this post with. I am behind a vpn tunnel which starts at the router so my computers isn't aware of it really.

The problem I have is with a fresh install of windows 7 where the network is going crazy

The ping reply from 10.0.0.1 can be explained by the VPN network on the outside finds the 10.0.0.0/24 network. But the question is.. Why is it pinging 10.0.0.1 and not the address from the nslookup? There is something modifying the translation some where. The browsers, also gets the wrong address. If a disables the adapter and enables it again I get a few seconds browsing time before it is trashed again

You can see in the dump below that pinging hd.se pings the wrong address and that nslookup gives a correct working address.

Any help is really appreciated..

Code:

C:\Users\nn>ping hd.se

Pinging hd.se [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\nn>nslookup hd.se
Server:  resolver1.privateinternetaccess.com
Address:  209.222.18.222

Non-authoritative answer:
Name:    hd.se
Address:  192.71.242.51


C:\Users\nn>ping 192.71.242.51

Pinging 192.71.242.51 with 32 bytes of data:
Reply from 192.71.242.51: bytes=32 time=19ms TTL=246
Reply from 192.71.242.51: bytes=32 time=19ms TTL=246
Reply from 192.71.242.51: bytes=32 time=19ms TTL=246
Reply from 192.71.242.51: bytes=32 time=19ms TTL=246

Ping statistics for 192.71.242.51:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms

C:\Users\nn>ping hd.se

Pinging hd.se [10.0.0.1] with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63
Reply from 10.0.0.1: bytes=32 time=11ms TTL=63

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 11ms, Average = 11ms

jraju · 25 Apr 2017

I will recommend you to check with avast free antivirus, wifi inspector. it will check and will advise you if you need to change the settings in the router or dns server if that is hijacked.
I do not know, if i can answer to the queries, but as i had also had similar issue, i changed as per avast advice and now i am not having vulnerability. The wifi inspector checks the network and prompted the alert that it is vulnerable (not already hijacked ) to dns hns hijack and it gave the remedy to change the dns server to google dns .
if moderator feels that i could not give some solution, let me know pl

BlueSparrow · 28 Apr 2017

Ok, I have an update to this. Now when I got some time left.
I changed the ip settings regarding the DNS to be used as a static dns. The same as the nslookup resolver uses ( 209.222.18.222 ) and it seems to work. To me it indicates that there are diffrent resolvers and only on of them is involved im my problem. Setting the DNS to static overrides the buggy one??
Anyone out there having a clue of what might be the problem?

jraju · 28 Apr 2017

Hi, I was advised to use dynamic ips, where in your ISP provides from bunch, it varies from every log if you switch of the modem and log in.
The static ip is fixed and anybody, especially hackers to track you , as from brute force they use in their programs.
Why cannot use avast free, which is giving you clue to the problem as well as solution. I have reset the modem and again scanned and it shows vulnerability and the solutions also. I will do the same to escape any dns hns hijack.
The dynamic ip is only having the problem, when you log on to a given infected ips, that is blocked on spotbot sites. Just you could switch off and then after a few minutes log on to get the non affected ips.
In the world of modem, i think that there is more to see than actual. i thought it just as a normal electronic device, but then reading network articles here and security articles eslewhere, i came to the conclusion, that it is not simple. The World is seeing you whereever you go.
There are router checks program, as given by fsecurity , GRC shields up, where you check your vulnerabillity of ports that is accessed thro router. I recommend avast, because, it is free and do what is needed . You might be aware that even port 7547 is used by hackers to hijack not only dns, they could as well access the router cfg files thro it

BlueSparrow · 29 Apr 2017

Hi,
I have a rather large system in my home and is behind two firewalls and a vpn tunnel. The actual problem is isolated to the windows 7 it self. I tried Avast on the fresh win 7 install as you wished to no avail.
Note that is isn't a external dns problem even though I formulated the question that way. As for the choise of dns-server the only diffrence is that if I explicitly set the preferred server in the ip-v4 preferences it works. But if I don't the applications gets the wrong ip-number. Nslookup returns the correct number but browsers for example uses another API to resolve the ip-numbers so the problem lies somewhere in that area. You can see in the example above that the ping application gets the wrong ip whereas the nslookup gets the correct ip!
As for port 7547 I don't have a dsl modem in my setup and is connected directly to the internet via an asus NAT router and a linux vpn router.

BlueSparrow · 29 Apr 2017

Added network image