Periodic since 2.2 pages load blank, certs invalid
-
I'm certain no one would use DNS resolution to effect a MITM attack.
That's actually pretty common, there's a variety of malware that will do just that to individual PCs, and sometimes to exploit routers and change their DNS servers so it impacts all LAN hosts. A variety of consumer-grade routers have been susceptible to such attacks.
-
I should mention though, that when I release/renew the WAN interface, I'm not getting a new IP. I'm getting the same one. Breaking the connection seems to be what fixes it.
After the further details later in the thread, I think why that has an impact is because it's triggering a DNS cache flush in the DNS forwarder, so the poisoned replies are no longer there.
-
haha - Yeah. I know. My sarcasm wasn't obvious enough? I'll try harder.
-
haha - Yeah. I know. My sarcasm wasn't obvious enough? I'll try harder.
Oh, the sarcasm font on here must be broken, sorry. :)
-
@cmb:
I should mention though, that when I release/renew the WAN interface, I'm not getting a new IP. I'm getting the same one. Breaking the connection seems to be what fixes it.
After the further details later in the thread, I think why that has an impact is because it's triggering a DNS cache flush in the DNS forwarder, so the poisoned replies are no longer there.
I actually just asked about this here: https://forum.pfsense.org/index.php?topic=87743.0
Is that a possible scenario, because if so I have a good idea of what might be doing it then.
-
My problem was originating outside the house between the ONT and the FIOS and or google DNS servers…
Its nothing inside the network that was causing it, but hopefully its mitigated now. -
This problem is originating outside the house between the ONT and the FIOS and or google DNS servers…
Its nothing inside the network that was causing it, but hopefully its mitigated now.If I can verify that pfsense itself is seeing the incorrect IPs for DNS lookups, there's definitely nothing internal that could be causing that at all?
-
There are just too many ways to mess with DNS especially if you can't trust the network between your machine and the servers. In the end, at best you can really only make sure that the guys playing games with your network aren't common criminals because you don't own the root servers.
-
There are just too many ways to mess with DNS especially if you can't trust the network between your machine and the servers. In the end, at best you can really only make sure that the guys playing games with your network aren't common criminals because you don't own the root servers.
But I'm asking about this specifically, I need to know if what's been happening could be due to an infected machine elsewhere on my network, or if it's definitely happening due to something from WAN and beyond.
-
I don't think one machine on the network could be the problem (unless that machine is pfsense its self), at least in my case, or going to unbound+DNSSEC would have made no difference.
-
If you were affected by this, what part of the world are you in? Just curious. Interesting incident.
-
I don't think one machine on the network could be the problem (unless that machine is pfsense its self), at least in my case, or going to unbound+DNSSEC would have made no difference.
I just double checked and it looks like I never enabled DNSSEC when I changed to unbound. Does that change your answer at all?
(needless to say, it's getting turned on now)If you were affected by this, what part of the world are you in? Just curious. Interesting incident.
North East USA.
-
How about this - I will show you where the pfsense is sitting. Hows that? Check PM
-
-
The pfsense in question is in Maryland, for me.
-
By the way, I can confirm for sure that pfsense was seeing the bad DNS.
I have an alias for facebook.com
I saw this in the resolver logfilterdns: adding entry 195.22.26.248 to table Social_Test on host facebook.com195.22.26.248 is the bad IP. PFSense itself saw that when it did its update on the alias resolution.
-
https://www.virustotal.com/en/ip-address/195.22.26.248/information/
https://www.robtex.net/en/advisory/ip/195/22/26/248/
Seems like there is an associated IP block thats pretty much into everything bad.
-
https://www.virustotal.com/en/ip-address/195.22.26.248/information/
https://www.robtex.net/en/advisory/ip/195/22/26/248/
Seems like there is an associated IP block thats pretty much into everything bad.
I don't doubt that, but that doesn't answer the question as to how when using google dns and level3 dns with unbound, that legitimate sites started resolving to this IP range, unless I'm missing something.
-
No idea
-
Same thing happened to me this morning: https certs signed by lolcat, all dns inquiries not handled by pfsense directly give 195.22.26.248, and using the Google DNS and Level 3 dns servers. I was able to resolve the issue for the time being by checking the 'Allow DNS server list to be overridden by DHCP/PPP on WAN' box, which presumably switched pfsense from using the compromised/poisoned DNS server to my ISPs DNS server.
I originally thought this issue was unrelated to pfsense, and posted the issue here:https://forum.pfsense.org/index.php?topic=88238.0. But after seeing this thread, it seems like pfsense 2.2 / DNS Resolver / Unbound may be a factor?
Configuration: PFSense 2.2, DNS Resolver, GoogleDNS and Level3 as primary and secondary DNS servers respectively.
