Netgate SG-1000 microFirewall

Author Topic: Answered: Single website redirecting to GoodMayor  (Read 462 times)

0 Members and 1 Guest are viewing this topic.

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #15 on: February 01, 2018, 02:01:04 pm »
Needless to say chasing something nasty around a local network is not something new.

I would start off by removing everything from the network. (Physically unplugging network connections and removing all wireless AP's)

Change the default subnet of LAN and connect one device at a time, individually until the culprit rears it's ugly head.
I happen to be on paternity leave right now and could DEFINITELY use a project ;) I'll report back what I find... Thanks for a practical tip on how to isolate this more thoroughly than I've done so far.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15094
  • Karma: +1408/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #16 on: February 01, 2018, 02:23:52 pm »
So your saying when you point your client at 8.8.8.8 the redirect does not happen.  But when you let pfsense do dns it happens.  Well pfsense out of the box resolves it does not forward.  If some domain is poisoned that cold be a problem, especially if that domain is not dnssec signed.

Why don't you just turn unbound into forwarder and forward to 8.8.8.8... 

;; QUESTION SECTION:
;www.torrent-invites.com.       IN      A

;; ANSWER SECTION:
www.torrent-invites.com. 14400  IN      CNAME   torrent-invites.com.
torrent-invites.com.    604800  IN      A       190.2.131.62

That is a really long TTL!!!  That is normally a sign of something wrong!!!

When I ask 8.8.8.8 I get a different answer

;; QUESTION SECTION:
;www.torrent-invites.com.       IN      A

;; ANSWER SECTION:
www.torrent-invites.com. 1361   IN      CNAME   torrent-invites.com.
torrent-invites.com.    1361    IN      A       99.198.107.205

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 01 14:08:15 Central Standard Time 2018
;; MSG SIZE  rcvd: 82

When I do a trace I get this

;; Received 605 bytes from 192.12.94.30#53(e.gtld-servers.net) in 47 ms

www.torrent-invites.com. 604800 IN      A       190.2.131.62
ww9.torrent-invites.com. 604800 IN      A       166.78.101.108
*.torrent-invites.com.  604800  IN      A       190.2.131.62
torrent-invites.com.    604800  IN      A       190.2.131.62
;; Received 122 bytes from 190.2.131.63#53(ns2.torrent-invites.com) in 121 ms

So what do you get when you try and resolve it from pfsense?


Look When you got to the IP that dns is sending your getting a redirect 302 to goodmayor - see attached pic..

That has nothing to do with pfsense, and everything to their dns being being bad..  Pfsense resolves out of the box.. Untangle most likely forwards.. See what happens when the cache expires on the google entry..

edit: check here you can see some dns from all over showing this as bad..
https://www.whatsmydns.net/#A/torrent-invites.com

Yeah there is problem with their dns - its been hijacked... I show the NS should be

ns1.torrent-invites.info and ns2.torrent-invites.info not .com... nor the an SOA pointing to dns.xzydns.com

If they do not fix this is going to spread... Once the NS ttl expire and places start resolving this and get pointed to the wrong NS.. your going to end up with that redirect..



« Last Edit: February 01, 2018, 02:38:26 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Unanswered: Single website redirecting to GoodMayor
« Reply #17 on: February 01, 2018, 03:23:20 pm »
@johnpoz you're brilliant! Thank you, thank you!

Where did you access that Q/A section? I've poked around but I'm over two years behind on released (was running 2.2.4 until this week). The DNS link was also very helpful. Thank you for disproving my earlier statement that the site itself was irrelevant.

@Derelict - my apologies. You were right, I was wrong. Still don't like your style ;) but you were definitely right that the site itself was relevant in this case.

Considering this closed. Looks like I didn't need to drop a few hundred bucks on new router hardware *coughs* I've had my eyes on an upgrade for a while anyways.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9763
  • Karma: +1103/-311
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #18 on: February 01, 2018, 03:30:19 pm »
See how easy that was after took off your tinfoil hat?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #19 on: February 01, 2018, 03:35:26 pm »
See how easy that was after took off your tinfoil hat?
:p Thankful for a resolution and still find your style abrasive. I know most everyone (if not everyone) here is a volunteer and I'm incredibly thankful for the sacrifice of time and knowledge. Still, more flies with honey than vinegar and all that. However I'll never know why anyone would want to collect flies.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9763
  • Karma: +1103/-311
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #20 on: February 01, 2018, 04:52:20 pm »
And what I suggested in reply #1 was exactly what johnpoz ended up doing a WHOLE DAY AND A HALF later after you decided to cough up the domain name.

I am thankful for people who don't waste our time with needless nonsense.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #21 on: February 01, 2018, 06:17:02 pm »
<Sigh> I bet you're a blast at parties. Your inability to calculate the passage of time may inadvertently cause you to overstay your welcome though...

I'm considering the thread closed as the problem has been solved. Your time is doubtlessly quite valuable. Thanks for your help. My inability to fully grasp your original suggestion is entirely on me and, had I understood it, I could have saved some time of some of the good folks who help around here. As previously mentioned, network troubleshooting is my Achilles heel.

EDIT: Also, thanks for the -karma. Glad you could be my first.
« Last Edit: February 01, 2018, 06:36:48 pm by Crlaozwyn »

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15094
  • Karma: +1408/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #22 on: February 02, 2018, 06:19:36 am »
I find highly unlikely Derelict smited you.. He doesn't care about the smites.. Not exactly sure why your mad at him.. He asked you for the domain - without that it would be impossible to help you figure out what is wrong..

Someone might want to try and contact the owner of site and let him know his dns has been hijacked..  If you check that dns link I gave - its spreading ;)  And even when they fix it going to take a week for it to clear up for everyone since they set that long ttl.. .Which is for sure what you do once you hijack someones dns.. Which is why made comment that such a long ttl is normally not a good sign.

What Q/A section are you talking about??

Smites come, notice mine.. If you make a wrong comment you might piss off the wrong person and then they will smite you every hour on the hour for days ;)
« Last Edit: February 02, 2018, 06:31:49 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 723
  • Karma: +152/-135
    • View Profile
    • Netgate
Re: Answered: Single website redirecting to GoodMayor
« Reply #23 on: February 02, 2018, 09:37:55 am »
Let's all chill, problem is solved. You think you guys have a problem with smites? ;)
Need help fast? Commercial support: https://www.netgate.com/support/

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15094
  • Karma: +1408/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #24 on: February 02, 2018, 10:44:55 am »
hehehe Your almost on the neg side ivor ;)  I will be sure to throw you some applauds to get you leaning more on the + side...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Crlaozwyn

  • Newbie
  • *
  • Posts: 15
  • Karma: +10/-2
    • View Profile
Re: Answered: Single website redirecting to GoodMayor
« Reply #25 on: February 02, 2018, 12:34:16 pm »
Does PFSense have an "Oprah" for smites yet? I'd be willing to volunteer if not...

"You get a smite! You get a smite! You get a smite! You get a smite! You get a smite! Everybody gets a smite! Karma (not) rising!"

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 723
  • Karma: +152/-135
    • View Profile
    • Netgate
Re: Answered: Single website redirecting to GoodMayor
« Reply #26 on: February 02, 2018, 01:38:06 pm »
hehehe Your almost on the neg side ivor ;)  I will be sure to throw you some applauds to get you leaning more on the + side...

Working hard on my smites!
Need help fast? Commercial support: https://www.netgate.com/support/