Have I been DNS Hijacked?

Virdi · 24 Feb 2018 at 14:37

Hi all,

I noticed a couple of websites like eBay were not loading properly ....upon further checking I logged into my ASUS router and noticed that my WAN DNS ip was:

185.117.75.242

I have never noticed this and my ISP is Plusnet.

....so the obvious question is ....am I in trouble?

Thx

Oh Ed not again. · 24 Feb 2018 at 14:56

Well Plusnet's DNS servers are:

Primary 212.159.13.49
Secondary 212.159.13.50

https://www.plus.net/help/broadband/about-dns-server-and-website-settings/

And that IP is in a Dutch IP block, registered in the Arab Emirates.

https://ipinfo.io/AS60117/185.117.75.0/24

It belongs to a VPS hosting company called Host Sailor. So I suspect someone has configured a rogue DNS server on a VPS, taken full advantage of Asus's terrible router security and updated your settings to point there.

In short, get a better router.

Virdi · 24 Feb 2018 at 16:05

Many thanks

willhub · 3 Mar 2018 at 17:23

What are the potential consequences of getting DNS jacked?

And why would some random from the UAE want to direct Virdi from the south and his router to a dutch hosting company?

Oh Ed not again. · 3 Mar 2018 at 17:29

Scenario: I'm going to "thissiteItrust.com", and the hijacked DNS server directs Virdi's machine to a copy of the site full of malicious junk and things. It can also be used to inject ads into everything he browses, as well as a slew of other undesirable actions.

Compromise DNS, and you can do a lot of damage.

I doubt he was target specifically, probably just a bot crawling home IP ranges attempting to find vulnerable routers. Once found, it probably then hands the IP/user/pass to another bot to do with what it wants.

Steampunk · 3 Mar 2018 at 17:33

willhub said:
What are the potential consequences of getting DNS jacked?

And why would some random from the UAE want to direct Virdi from the south and his router to a dutch hosting company?

It means any request to any website that requires a DNS look up can be redirected. You can use it to direct traffic for advertising hits, or to a malicious website to perform a man-in-the-middle for things like stealing bank details. Any sensible web browser or network anti-virus should flag up https certificate failures, if you're using https.

Depending which Asus router the OP has, he should look at installing a Merlin firmware or fork for added security.

willhub · 3 Mar 2018 at 17:46

Blimey, never thought of checking it, will check to see if my BT router is ok.