Support

Rogue DNS Servers on the Move

Based on our internal malcode analysis, we have been able to identify netblocks of “rogue” DNS servers. These servers seem to hand out the correct answer for proper queries, but for typos they hand out a DNS server that *may* be malicious, it’s not clear to me yet. Clearly this is a concern when you have active alterations of something as fundamental as DNS, even when the actor is otherwise perfectly trustworthy.

I’ve gone through a number of our identified rogue DNS servers following the demise of Atrivo and McColo to see where they all point. They all now point to a different network but only a handful of servers. Shown below are some spot tests with truly random garbage thrown at them; normal DNS servers reply with an NXDOMAIN error. The DNS server is on the left hand side and the result for a junk query is on the right.

85.255.112.109 -> 99.198.101.20
85.255.112.109 -> 99.198.101.4
85.255.112.121 -> 99.198.101.20
85.255.112.121 -> 99.198.101.4
85.255.112.123 -> 99.198.101.12
85.255.112.123 -> 99.198.101.20
85.255.112.123 -> 99.198.101.4
85.255.112.130 -> 99.198.101.20
85.255.112.130 -> 99.198.101.4
85.255.112.140 -> 99.198.101.4
85.255.112.16 -> 99.198.101.12
85.255.112.16 -> 99.198.101.20
85.255.112.16 -> 99.198.101.4
85.255.112.186 -> 99.198.101.12
85.255.112.186 -> 99.198.101.20
85.255.112.186 -> 99.198.101.4
85.255.112.205 -> 99.198.101.12
85.255.112.205 -> 99.198.101.4
85.255.112.209 -> 99.198.101.20
85.255.112.209 -> 99.198.101.4
85.255.112.220 -> 99.198.101.12
85.255.112.220 -> 99.198.101.20
85.255.112.238 -> 99.198.101.20
85.255.112.238 -> 99.198.101.4
85.255.112.26 -> 99.198.101.12
85.255.112.26 -> 99.198.101.20
85.255.112.26 -> 99.198.101.4
85.255.112.61 -> 99.198.101.12
85.255.112.61 -> 99.198.101.20
85.255.112.61 -> 99.198.101.4
85.255.112.71 -> 99.198.101.12
85.255.112.71 -> 99.198.101.20
85.255.112.71 -> 99.198.101.4
85.255.112.72 -> 99.198.101.12
85.255.112.72 -> 99.198.101.20
85.255.112.72 -> 99.198.101.4
85.255.113.107 -> 99.198.101.4
85.255.113.91 -> 99.198.101.20
85.255.114.106 -> 99.198.101.12
85.255.114.29 -> 99.198.101.4
85.255.114.53 -> 99.198.101.4
85.255.114.54 -> 99.198.101.4
85.255.114.67 -> 99.198.101.4
85.255.114.75 -> 99.198.101.4
85.255.114.88 -> 99.198.101.4
85.255.115.18 -> 99.198.101.12
85.255.115.236 -> 99.198.101.12
85.255.115.75 -> 99.198.101.12
85.255.116.119 -> 99.198.101.12
85.255.116.67 -> 99.198.101.20
85.255.116.71 -> 99.198.101.20

That second IP per line is actually a fully functional web server. Folks who use these DNS servers as the result of malcode you’ll get Internet connectivity problems, just like this person. Those destination IPs all exist in an ISP named “SingleHop”; this network is otherwise not on my radar at this point, but I’ll have to keep an eye on it due to this suspicious behavior.