True Internet DHCP DNS Server

[jcisco]

I need some assistance investigating a setting that is coming from True when the ADSL router connects. The system is now sending down a primary and secondary DNS Server addresses via DHCP. You will need to login to your router to check these.

The addresses I am receiving are very strange before i delve too far into this I want to compare against what others have available:

Primary: 139.162.5.51

Secondary: 8.8.8.8

Note that both addresses are outside of any of Trues ASs as I know them and one is one of the google public DNS Servers. The first one in question is current in the AS of a cloud application provider. Transcripts below

Note the return is not from APNIC but a legacy RIPE response and is apparently in SIngapore at this time.

My interest in the address is more of a question of what application is at that IP address and why would of true changed it to this away from their very specific and functional internet DNS Servers.

Appreciate anyone can give me their DHCP assignment or if they arent receiving one.

Cheers.

% APNIC found the following authoritative answer from: whois.ripe.net

% This is the RIPE Database query service.% The objects are in RPSL format.%% The RIPE Database is subject to Terms and Conditions.% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.%       To receive output for a database update, use the "-B" flag.

% Information related to '139.162.0.1 - 139.162.31.255'

% Abuse contact for '139.162.0.1 - 139.162.31.255' is '[email protected]'

inetnum:        139.162.0.1 - 139.162.31.255netname:        LINODE-APdescr:          Linode, LLCcountry:        SGadmin-c:        TA2589-RIPEtech-c:         LA538-RIPEstatus:         LEGACYremarks:        This block is used for static customer allocationsremarks:        Please send abuse reports to [email protected]:         LINODE-LEG-MNTcreated:        2015-01-31T05:10:06Zlast-modified:  2015-01-31T05:10:54Zsource:         RIPE # Filtered

person:         Linode Abuse Supportaddress:        329 E. Jimmie Leeds Road, Suite A, Galloway, NJ 08205, USAphone:          +16093807100abuse-mailbox:  [email protected]:        LA538-RIPEmnt-by:         Linode-mntcreated:        2009-11-11T15:16:50Zlast-modified:  2014-08-15T15:19:27Zsource:         RIPE # Filtered

person:         Thomas Asaroaddress:        329 E. Jimmie Leeds Road, Suite A, Galloway, NJ 08205, USAphone:          +16093807504nic-hdl:        TA2589-RIPEmnt-by:         Linode-mntcreated:        2009-11-02T17:17:56Zlast-modified:  2014-11-20T18:51:15Zsource:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.79.2 (DB-4)

[sfokevin]

My True router has DNS Server set to 203.144.206.29 & 203.144.206.49

[KhunBENQ]

Second one (8.8.8.8) is the well known Google DNS.

Quite surprising.

You are sure, that you network configuration is set to automatically configure DNS server (by DHCP) or do you have some SW that provides "best" DNS servers.?

[jcisco]

No the router is being set by DHCP, and before bother to build a quick tap so I can confirm it via trace, wanted to verify it was in fact irregular. My guess at this point, is that it is indeed been set by True, and they have some serious questions to answer for. Since they are essentially sending customer browsing data to a third party. Or the router has been hacked and I need to go through the process of getting the image of the router off to the community to figure out what is going on.

Other than attempt to have the customer as the IP in question reassigned at the very least, i'm not sure but it is all very suspect. And I suspect having that IP address blocked by the Junta would be impossible unless its actually returning an contrary opinion, which at this point, is not.

[innerspace]

they have some serious questions to answer for. Since they are essentially sending customer browsing data to a third party.

Got to laugh!

1) If true were NOT sending customer browsing data to a 3rd party (or many) then I would complain... That they are doing their fundamental basic primary job as an internet service provider, sounds good to me!

2) When did you last setup and maintain a DNS server (or servers) supporting millions of users? It takes a lot of resources, servers, staff and bandwidth.

By using 3rd party dns they eliminate 2 of those. Many users may not tell the difference but a good percentage of Thai internet outages are not internet related but simply ISP dns server having issues (clue: if skype or torrents work but not web, likely dns)

Fair play if true have done this, lets their engineers focus efforts better and improves service for customers. All my staff have been on google dns for years.

3) If you have any concern about who provides your dns, you would run your own server or at least set your own config. You would not be using true dhcp provided settings. If you dont trust google dns, why on earth would you have trusted true?

[jcisco]

I forgot to mention it isn't actually a DNS Server, when you look at it on port 80 it returns a NGIX server page.

and yet for a DNS query:

nslookup google.com 139.162.5.51

Server: UnKnown

Address: 139.162.5.51

*** UnKnown can't find google.com: Query refused

EDIT: Sorry I meant to say the server is not a public DNS Server, it is open on that port. It just not replying to any queries

Edited June 19, 2015 by jcisco

[RichCor]

This is a True adsl router?

Is the router websetup accessed using a "True" provided universal Password, or a unique Password for that unit?

Can you access the router and specify the DNS entries manually? (on adsl modems, this is usually the case)

WAN Ports can use ISP DHCP to request an IP lease that includes DNS entries, unless those entries are entered manually.

It's known that compromised websites can send a background JavaScript and, using common ISP router name/pass, change the DNS so that an attacker can 'own' your outgoing request traffic and redirect it at will. Also, some attackers will reflash the modem firmware using your own computer.

Edited June 19, 2015 by RichCor

[innerspace]

Ok valid point(not checked, on phone)...if so something suspicious, but most of my last post still valid.

Running a random server as primary dns and google as secondary, not heard of it but clever. Almost all routers send 2 dns for the reason of backups, try one if errors try the other.

For the end user nothing noticed, all requests go through(2nd attempt via google but no errors shown).

For the random linode server, see no traffic but see lots of site requests.

My guess would be compromised routers, lots on default passwords here. Had issues with true fibre refusing to change pass before too.

[jcisco]

they have some serious questions to answer for. Since they are essentially sending customer browsing data to a third party.

Got to laugh!

1) If true were NOT sending customer browsing data to a 3rd party (or many) then I would complain... That they are doing their fundamental basic primary job as an internet service provider, sounds good to me!

2) When did you last setup and maintain a DNS server (or servers) supporting millions of users? It takes a lot of resources, servers, staff and bandwidth.

By using 3rd party dns they eliminate 2 of those. Many users may not tell the difference but a good percentage of Thai internet outages are not internet related but simply ISP dns server having issues (clue: if skype or torrents work but not web, likely dns)

Fair play if true have done this, lets their engineers focus efforts better and improves service for customers. All my staff have been on google dns for years.

3) If you have any concern about who provides your dns, you would run your own server or at least set your own config. You would not be using true dhcp provided settings. If you dont trust google dns, why on earth would you have trusted true?

Indeed I've got a bit of a laugh on, since I did not state I am actually utilizing the routers DHCP, I said the router is being set via DHCP. That means that anyone that receives DHCP settings from it maybe using that IP address.

1: They sending your IP address and the contents of the query, This is for example using when logging for sale to advertisers

2. When did you and fact of the matter, have you ever setup and maintained a zone at all? I have but lets not compare our e-dicks shall we.

Utilizing multipe DNS servers and recursive forwarders should mitigate DNS problems, makes it even easier to monitor if it is DNS Problems causing your network issues, A key way to ensure fast internet service is high performance DNS caching and recursive replies to your customers, using Off site dns for an ISP is insanity. The extra latency internally on your own network services would be substantial and putting all that information in the public DNS, errr, not likely.

3, You didnt ask, you didnt read

I'm think you are over estimating your ability to comprehend when you read and my level of competence,

Thank you I find your reply actually a time waster.

[RichCor]

139.162. 5. 51 | Min | Avg | Max |Std.Dev|Reliab%|

----------------+-------+-------+-------+-------+-------+

- Cached Name | 0.023 | 0.081 | 0.170 | 0.040 | 100.0 |

- Uncached Name | 0.082 | 0.294 | 1.033 | 0.194 | 98.0 |

- DotCom Lookup | 0.053 | 0.131 | 0.202 | 0.044 | 100.0 |

---<-------->---+-------+-------+-------+-------+-------+

li847-51.members.linode.com

LINODE-AP Linode, LLC,SG

203.113. 24.199 | Min | Avg | Max |Std.Dev|Reliab%|

----------------+-------+-------+-------+-------+-------+

- Cached Name | 0.020 | 0.084 | 0.189 | 0.046 | 100.0 |

- Uncached Name | 0.079 | 0.296 | 0.934 | 0.167 | 98.0 |

- DotCom Lookup | 0.053 | 0.139 | 0.255 | 0.049 | 100.0 |

---<-------->---+-------+-------+-------+-------+-------+

dns1.totbb.net

TOTNET-TH-AS-AP TOT Public Company Limited,TH

202. 44.204. 36 | Min | Avg | Max |Std.Dev|Reliab%|

----------------+-------+-------+-------+-------+-------+

- Cached Name | 0.017 | 0.085 | 0.179 | 0.047 | 100.0 |

- Uncached Name | 0.050 | 0.220 | 0.486 | 0.123 | 100.0 |

- DotCom Lookup | 0.049 | 0.253 | 0.402 | 0.108 | 100.0 |

---<-------->---+-------+-------+-------+-------+-------+

nscache1.nectec.or.th

PUBNET-TH-AS Thailand Public backbone Network,TH

139.162. 5. 51 came back as a valid (and quick) DNS NameServer. Just DNS and HTTP service running. No known hosts running on the same IP.

[NeverSure]

That 139. IP returns Singapore for me with no other info but this. li847-51.members.linode.com

[jcisco]

Strange it's refusing my queries , thanks for checking too.