Reverse DNS different that DNS server (reverse is a local address)
Hi all, I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network. Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here? I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address? I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers. If anyone has suggestions to confirm if the network is properly setup, please let me know. Thank you, Joseph Rocklin,
On 2020-11-22 2:13 p.m., Joseph Rocklin via talk wrote:
Hi all,
I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network.
Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers
Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here?
I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address?
I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers.
If anyone has suggestions to confirm if the network is properly setup, please let me know.
Why are you looking up the DNS, when you want to look up your wife's computer? Look up her WAN address. Her host name should be something like cpe<router MAC>-cm<modem MAC>.cpe.net.cable.rogers.com. Host name changed to protect the guilty. ;-) She should also have IPv6 addresses.
Sorry. My wife and I are trying to discern if my BIL's network was a problem in the past. It has been the family's network. The kids and her computer in the past had routed via utopia.net when we entered in addresses or search terms. I am trying to see if there is anything wrong with my BIL's network now. I am a bit suspicious based on what I read about utopia.net. My wife wants me to find more significant findings before she allows herself to question matters. I don't know all that much except that utopia.net was noted as a malware site on many searches I've done. Nov 22, 2020, 2:29 PM by talk@gtalug.org:
On 2020-11-22 2:13 p.m., Joseph Rocklin via talk wrote:
Hi all,
I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network.
Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers
Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here?
I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address?
I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers.
If anyone has suggestions to confirm if the network is properly setup, please let me know.
Why are you looking up the DNS, when you want to look up your wife's computer? Look up her WAN address. Her host name should be something like cpe<router MAC>-cm<modem MAC>.cpe.net.cable.rogers.com. Host name changed to protect the guilty. ;-)
She should also have IPv6 addresses.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
Depending on what kind of problems you're seeing, you probably want to do a traceroutefrom a network where you have good performance/reliability to someplace distant (I use slashdot.org (:-)), land then again from the doubtful network. The names you see are sometimes clear... [davecb@miles Networking]$ traceroute slashdot.org traceroute to slashdot.org (216.105.38.15), 30 hops max, 60 byte packets 1 _gateway (192.168.7.1) 0.409 ms 0.402 ms 0.246 ms 2 10.0.0.1 (10.0.0.1) 2.168 ms 2.784 ms 2.962 ms 3 99.240.238.1 (99.240.238.1) 19.416 ms 14.751 ms 14.897 ms 4 8081-dgw01.ym.rmgt.net.rogers.com (67.231.222.137) 19.446 ms 14.282 ms 14.152 ms 5 69.63.249.221 (69.63.249.221) 19.653 ms 19.892 ms 19.737 ms 6 209.148.235.218 (209.148.235.218) 14.454 ms 18.395 ms 18.287 ms 7 ae58.bar3.Toronto1.Level3.net (4.59.180.41) 34.759 ms 34.188 ms 34.265 ms 8 ae-2-3611.edge2.NewYork6.Level3.net (4.69.209.82) 40.920 ms 41.218 ms 41.547 ms 9 * * * 10 los-edge-08.inet.qwest.net (67.14.22.202) 103.209 ms 96.349 ms 102.989 ms 11 65-126-18-126.dia.static.qwest.net (65.126.18.126) 94.487 ms 94.216 ms 83.169 ms 12 br05-te0-0-1-6.lwdc.americanis.net (207.158.62.109) 82.873 ms 82.800 ms 83.479 ms 13 ar07-te13-3.lwdc.americanis.net (209.216.192.66) 83.737 ms * * 14 216.105.38.15 (216.105.38.15) 89.270 ms 83.401 ms 83.303 ms For example, 8081-dgw01.ym.rmgt.net.rogers.com is Rogers, etc. For missing or more obscure names, use command-line whois with the IP address: [davecb@miles Networking]$ whois 69.63.249.221 [Querying whois.arin.net] [whois.arin.net] # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # NetRange: 69.63.240.0 - 69.63.255.255 CIDR: 69.63.240.0/20 NetName: ROGERS-COM-INFR NetHandle: NET-69-63-240-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS812 Organization: Rogers Communications Canada Inc. (RCC-184) RegDate: 2008-05-01 Updated: 2017-01-06 Ref: https://rdap.arin.net/registry/ip/69.63.240.0 You will get two things: 1. Who it passes through, eg, Utopia, Bell or Rodgers 2. How /long it takes /to get to each new network I have a script that subtracts the lines of three sample times from one another, but eyeballs work well, too (;-)) I'd be curious to see which Utopia you get: Mumbai or Utah (;-)) --dave On 2020-11-22 2:45 p.m., Joseph Rocklin via talk wrote:
Sorry. My wife and I are trying to discern if my BIL's network was a problem in the past. It has been the family's network. The kids and her computer in the past had routed via utopia.net when we entered in addresses or search terms. I am trying to see if there is anything wrong with my BIL's network now. I am a bit suspicious based on what I read about utopia.net. My wife wants me to find more significant findings before she allows herself to question matters. I don't know all that much except that utopia.net was noted as a malware site on many searches I've done.
Nov 22, 2020, 2:29 PM by talk@gtalug.org:
On 2020-11-22 2:13 p.m., Joseph Rocklin via talk wrote:
Hi all,
I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network.
Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers
Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here?
I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address?
I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers.
If anyone has suggestions to confirm if the network is properly setup, please let me know.
Why are you looking up the DNS, when you want to look up your wife's computer? Look up her WAN address. Her host name should be something like cpe<router MAC>-cm<modem MAC>.cpe.net.cable.rogers.com. Host name changed to protect the guilty. ;-)
She should also have IPv6 addresses.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest dave.collier-brown@indexexchange.com | -- Mark Twain
Actually I had done a traceroute on dnschecker.org from my daughter's windows machine (on my BIL's network) after I last posted. It is attached. I think it was to either duckduckgo.com, google, or maybe another search site. I also did some ipconfig commands and recorded in some text files (then realized a better word processing program would save better). I also went to IP Tracker and ipleak.net. On IPleak.net it registered like 27 DNS addresses. When using my cell data on my own machine, I get 1 DNS address on that site. Is that at all unusual? Please let me know if those records are also useful to send. Lastly, to clarify about utopia.net, it hasn't been popping up in the past month or so. But on my kids machine, I would input a URL into the browser, and see in the lower LH corner 'resolving host..' and either just after or at the same time '....utopia.net' Over the past month I also worked on my own machine. When I changed OS I found on a fresh install, my DNS was routing to utopia.net (even after not using my BIL's network). It seemed to be associated with the gigabit card. I got curious after remembering the browser texts I mentioned above, on my kids' machine. I got curious and researched utopia.net. That let to me finally doing some fiddling and was able to change drivers and erase difficult-to-access HDD partitions, and through the command line, and linux OS I got it off my machine. I did the chattr +i command for my /etc/resolv.conf and other efforts to make sure it didn't revert. It has certainly gotten me more familiar with Linux than I was. Anyway, curious to hear your thoughts. Thanks, Joseph Nov 22, 2020, 5:02 PM by talk@gtalug.org:
Depending on what kind of problems you're seeing, you probably want to do a traceroute> > from a network where you have good performance/reliability to someplace distant (I use slashdot.org (:-)), land then again from the doubtful network.
The names you see are sometimes clear...
[davecb@miles Networking]$ traceroute slashdot.orgtraceroute to slashdot.org (216.105.38.15), 30 hops max, 60 byte packets 1 _gateway (192.168.7.1) 0.409 ms 0.402 ms 0.246 ms 2 10.0.0.1 (10.0.0.1) 2.168 ms 2.784 ms 2.962 ms 3 99.240.238.1 (99.240.238.1) 19.416 ms 14.751 ms 14.897 ms 4 8081-dgw01.ym.rmgt.net.rogers.com (67.231.222.137) 19.446 ms 14.282 ms 14.152 ms 5 69.63.249.221 (69.63.249.221) 19.653 ms 19.892 ms 19.737 ms 6 209.148.235.218 (209.148.235.218) 14.454 ms 18.395 ms 18.287 ms 7 ae58.bar3.Toronto1.Level3.net (4.59.180.41) 34.759 ms 34.188 ms 34.265 ms 8 ae-2-3611.edge2.NewYork6.Level3.net (4.69.209.82) 40.920 ms 41.218 ms 41.547 ms 9 * * * 10 los-edge-08.inet.qwest.net (67.14.22.202) 103.209 ms 96.349 ms 102.989 ms 11 65-126-18-126.dia.static.qwest.net (65.126.18.126) 94.487 ms 94.216 ms 83.169 ms 12 br05-te0-0-1-6.lwdc.americanis.net (207.158.62.109) 82.873 ms 82.800 ms 83.479 ms 13 ar07-te13-3.lwdc.americanis.net (209.216.192.66) 83.737 ms * * 14 216.105.38.15 (216.105.38.15) 89.270 ms 83.401 ms 83.303 ms
For example, 8081-dgw01.ym.rmgt.net.rogers.com is Rogers, etc. For missing or more obscure names, use command-line whois with the IP address:
[davecb@miles Networking]$ whois 69.63.249.221 [Querying whois.arin.net] [whois.arin.net] # # ARIN WHOIS data and services are subject to the Terms of Use # available at: > https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # > https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. #
NetRange: 69.63.240.0 - 69.63.255.255 CIDR: 69.63.240.0/20 NetName: ROGERS-COM-INFR NetHandle: NET-69-63-240-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS812 Organization: Rogers Communications Canada Inc. (RCC-184) RegDate: 2008-05-01 Updated: 2017-01-06 Ref: > https://rdap.arin.net/registry/ip/69.63.240.0
You will get two things:
Who it passes through, eg, Utopia, Bell or Rodgers How > long it takes > to get to each new network
I have a script that subtracts the lines of three sample times from one another, but eyeballs work well, too (;-))
I'd be curious to see which Utopia you get: Mumbai or Utah (;-))
--dave
On 2020-11-22 2:45 p.m., Joseph Rocklin via talk wrote:
Sorry. My wife and I are trying to discern if my BIL's network was a problem in the past. It has been the family's network. The kids and her computer in the past had routed via utopia.net when we entered in addresses or search terms. I am trying to see if there is anything wrong with my BIL's network now. I am a bit suspicious based on what I read about utopia.net. My wife wants me to find more significant findings before she allows herself to question matters. I don't know all that much except that utopia.net was noted as a malware site on many searches I've done.
Nov 22, 2020, 2:29 PM by >> talk@gtalug.org>> :
On 2020-11-22 2:13 p.m., Joseph Rocklin via talk wrote:
Hi all,
I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network.
Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers
Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here?
I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address?
I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers.
If anyone has suggestions to confirm if the network is properly setup, please let me know.
Why are you looking up the DNS, when you want to look up your wife's computer? Look up her WAN address. Her host name should be something like cpe<router MAC>-cm<modem MAC>.cpe.net.cable.rogers.com. Host name changed to protect the guilty. ;-)
She should also have IPv6 addresses.
--- Post to this mailing list >>> talk@gtalug.org Unsubscribe from this mailing list >>> https://gtalug.org/mailman/listinfo/talk
---Post to this mailing list >> talk@gtalug.org>> Unsubscribe from this mailing list >> https://gtalug.org/mailman/listinfo/talk
-- David Collier-Brown, | Always do right. This will gratifySystem Programmer and Author | some people and astonish the rest> dave.collier-brown@indexexchange.com> | -- Mark Twain
On Mon, Nov 23, 2020 at 01:53:26AM +0100, Joseph Rocklin via talk wrote:
Actually I had done a traceroute on dnschecker.org from my daughter's windows machine (on my BIL's network) after I last posted. It is attached. I think it was to either duckduckgo.com, google, or maybe another search site. I also did some ipconfig commands and recorded in some text files (then realized a better word processing program would save better). I also went to IP Tracker and ipleak.net. On IPleak.net it registered like 27 DNS addresses. When using my cell data on my own machine, I get 1 DNS address on that site. Is that at all unusual? Please let me know if those records are also useful to send.
Lastly, to clarify about utopia.net, it hasn't been popping up in the past month or so. But on my kids machine, I would input a URL into the browser, and see in the lower LH corner 'resolving host..' and either just after or at the same time '....utopia.net'
Over the past month I also worked on my own machine. When I changed OS I found on a fresh install, my DNS was routing to utopia.net (even after not using my BIL's network). It seemed to be associated with the gigabit card. I got curious after remembering the browser texts I mentioned above, on my kids' machine. I got curious and researched utopia.net. That let to me finally doing some fiddling and was able to change drivers and erase difficult-to-access HDD partitions, and through the command line, and linux OS I got it off my machine. I did the chattr +i command for my /etc/resolv.conf and other efforts to make sure it didn't revert. It has certainly gotten me more familiar with Linux than I was.
Anyway, curious to hear your thoughts.
https://www.reddit.com/r/antivirus/comments/7qwn93/utopianet_malware_dns_hij... Seeing utopia.net means you have a dns hijacker either in your browser, on your computer or perhaps on your router. Something like 'hijackthis' or 'spybot search and destroy' might help to find an elliminate it if it is on the computer. So perhaps a browser plugin has taken over dns handling in the browser. Those useless toolbars people seem to like installing often do that. -- Len Sorensen
On Sun, 22 Nov 2020 20:13:19 +0100 (CET) Joseph Rocklin via talk <talk@gtalug.org> wrote:
Hi all,
Hello
I just tried a reverse dns lookup on whoismydns.com for my wife's computer on a family-member's network.
Okay, no. You cannot do what you said :) You can do a "forward" lookup on a name and a "Reverse" lookup involves querry an answer for the resource number supplied in the forward lookup :) So, to add additional complexity, you can get different answers depending on whom you are asking and even if the answer is not listed as an authority for the question, it is still, in 99.99% of questions, regarded as an answer by the inquirer (which of course is either a human or a software or nowadays also a machine (like mine)
Result: DNS Server: 67.231.208.167 Reverse DNS: pub-cdns3-wlfdle-eth1.rpub.net.rogers.com IP Owner: Rogers
Uhm, no. You should first ask who has authority? #dig NS whoismydns.com whoismydns.com. 21599 IN NS ns1.whoismydns.com. whoismydns.com. 21599 IN NS ns2.whoismydns.com. and then #dig @ns1.whoismydns.com whoismydns.com whoismydns.com. 86400 IN A 35.165.244.131 Then, you can do a reverse lookup: 131.244.165.35.in-addr.arpa domain name pointer ec2-35-165-244-131.us-west-2.compute.amazonaws.com.
Does this seem correct? I have my dns settings set on my machine and I get my expected DNS results on my machine on this family member's network. Is there any reason to be concerned here? I had noticed a while back, before upgrades on this family member's network, that utopia.net was being used as the DNS server. It was on more than one machine that used that network. Now I'm wondering if somehow this network was routing, in a still-problematic way, but just via a local address? I may have confused some concepts as I am just getting my feet wet with this topic of DNS servers. If anyone has suggestions to confirm if the network is properly setup, please let me know.
Okay, not sure what it is you need to know... I think you need to edit this, as a step one: vim /etc/resolv.conf imho, remove everything and add Google as your DNS provider :) nameserver 8.8.4.4 nameserver 8.8.8.8 This will maybe/probably help you? You can also check that vim /etc/nsswitch.conf says: hosts: dns files networks: dns files unless of course you have custom resources in your hosts for certain names, in my case for example, I hardcode a LOT of domains, so that I hardly ever do any DNS lookups (DNS is disabled on my personal system) so, of course I have to use files and then dns... hth Andre
Thank you, Joseph Rocklin,
I have no time for a careful answer. But it is important that you understand these points: - DNS is a distributed tree, with nodes that are authoritative for particular domains. - there is caching (recursive servers) if you trust them (almost always one does). Unless you are using DNSSec, the caching server can lie, sometimes usefully. - the forward domain is technically unrelated to the reverse domain. The forward domain lookup uses a conventional domain name as the key. The reverse lookup uses the IP address (in a funny format) as the key. - Reverse example: to lookup the reverse for IPv4 address 1.2.3.4, your system actually queries 4.3.2.1.in-addr.arpa. I think you can see how that is constructed. - the reverse domain is a mystery to most people (because it mostly doesn't matter to most users). If you run a mail server, it does matter. - whoever provided you with your IP address controls the reverse domain for that IP address. Generally, if you pay for a static IP address, they will let you specify what you want them to put in the reverse domain for that IP address. Most ordinary consumers don't have static addresses and are not given a say in what the reverse says. - if your provider provides you with a CIDR of network addresses, static, they may delegate the reverse domain for that CIDR to a DNS of your choosing. This is not the normal home case.
On Mon, 23 Nov 2020 09:20:57 -0500 (EST) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
I have no time for a careful answer. But it is important that you understand these points:
I can also spend a few minutes to add to the points below, if that helps anyone...
- DNS is a distributed tree, with nodes that are authoritative for particular domains.
Yes, and not at all - names = not so much, possibly, a little like a one or two branch tree - Numbers = always four or six "branches" DNS is mostly a fixed single easy thing. (although you do get weird 'trees' like de.li.cio.us (or whatever that was) For names it could resemble a tree with one sometimes two or thee branches, hardly ever more than that... (in theory it could have millions of branches - but IRL (in real life) two or three... An example - would be example.com .com says which NS server(s) is/are authorative for example That NS server(s) may further say where is www.example.com but not often do you find www.www.www.www.example.com (although you could, in theory, have a "tree", I guess...) for numbers though, the delegation is only 4 "branches" deep for ipv4 and 6 "branches" deep for ipv6 - unless you count the main .in-addr.arpa as another two? So, DNS may be a bit like a very small bonsai? hehehehe
- there is caching (recursive servers) if you trust them (almost always one does). Unless you are using DNSSec, the caching server can lie, sometimes usefully.
- the forward domain is technically unrelated to the reverse domain.
yes, reverse and forward lookup is not related, but when they match, as in for use as an email server, this is another layer in the onion of trust. and, technically - it is ALL forward lookups (even a reverse lookup :) the 'reverse' is actually you/inquirer 'reversing' the number and adding .in-addr.arpa )
The forward domain lookup uses a conventional domain name as the key.
You can have 192.168.1.100.com - so the only 'convention' is that forward and reverse both has 'sub domains' it is all really 'forward' lookups :) forward works from the back 123 -> com for 123.com reverse works by "reversing the number" and adding .in-addr.arpa 192.168.1.1 -> 192 for 168 so: 1.2.168.192.in-addr.arpa for example: dig NS 136.100.in-addr.arpa tells you how 136.100 is delegated, etc etc.
The reverse lookup uses the IP address (in a funny format) as the key.
not so funny, just the normal ip number format but the reverse is from the start of the number and not the end
- Reverse example: to lookup the reverse for IPv4 address 1.2.3.4, your system actually queries 4.3.2.1.in-addr.arpa. I think you can see how that is constructed.
yes, this is all it is :)
- the reverse domain is a mystery to most people (because it mostly doesn't matter to most users). If you run a mail server, it does matter. - whoever provided you with your IP address controls the reverse domain for that IP address. Generally, if you pay for a static IP address, they will let you specify what you want them to put in the reverse domain for that IP address. Most ordinary consumers don't have static addresses and are not given a say in what the reverse says.
if whomever provided you with the number did not hijack it from somewhere and it is in fact properly delegated, then they could, in their own auth NS, add whatever 'name' you like to the IP number :)
- if your provider provides you with a CIDR of network addresses, static, they may delegate the reverse domain for that CIDR to a DNS of your choosing. This is not the normal home case.
participants (6)
-
ac -
D. Hugh Redelmeier -
Dave Collier-Brown -
James Knott -
Joseph Rocklin -
lsorense@csclub.uwaterloo.ca