上海移动之 DNS 污染

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

已注册用户请登录

这是一个创建于 2375 天前的主题，其中的信息可能已经有所发展或是发生改变。

之前一直用运营商的 DNS：211.136.150.66。

发现不少冷门网站都会出现 SSL 错误，NET::ERR_CERT_COMMON_NAME_INVALID，用来劫持的域名为*.cdn-now.com。

用 dig 查询其中一个网站的结果：

$ dig tinypng.com ; <<>&t; DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40064 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;tinypng.com. IN A ;; ANSWER SECTION: tinypng.com. 784 IN A 58.216.111.27 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: 四 5 月 09 12:09:11 CST 2019 ;; MSG SIZE rcvd: 56

查询其他网站也同样指向58.216.111.27。

域名指向这个 IP 的结果是这样的：

$ curl --insecure -v https://tinypng.com ... ... * Expire in 1 ms for 1 (transfer 0x5565723305c0) * Expire in 2 ms for 1 (transfer 0x5565723305c0) * Trying 58.216.111.27... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x5565723305c0) * Connected to tinypng.com (58.216.111.27) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=*.cdn-now.com * start date: Apr 16 03:50:48 2019 GMT * expire date: Jul 15 03:50:48 2019 GMT * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: tinypng.com > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx < Date: Thu, 09 May 2019 04:06:18 GMT < Content-Type: text/html; charset= < Content-Length: 787 < Last-Modified: Mon, 29 Apr 2019 03:34:06 GMT < Connection: keep-alive < ETag: "5cc670ae-313" < Accept-Ranges: bytes < <!DOCTYPE html> <html><head><title></title> <link rel="dns-prefetch" href="//s96.cnzz.com" /> <link rel="dns-prefetch" href="//z2.cnzz.com" /> <link rel="dns-prefetch" href="//jserr.cnzz.com" /> <link rel="dns-prefetch" href="//c.cnzz.com" /> <link rel="dns-prefetch" href="//ei.cnzz.com" /> <link rel="dns-prefetch" href="//ca.cnzz.com" /> <link rel="dns-prefetch" href="//f1.cdn-now.com" /> </head> <body> <script> function rndStr(len) { len = len || 6; var $chars = '0123456789abcdefghijklmnopqrstuvwxyz'; var maxPos = $chars.length; var pwd = ''; for (i = 0; i < len; i++) { pwd += $chars.charAt(Math.floor(Math.random() * maxPos)); } return pwd; } var rnd1 = rndStr(6); var rnd2 = rndStr(12); window.location.href="https://f1.cdn-now.com/?"+rnd1+"="+rnd2; </script> </body> </html> * Connection #0 to host tinypng.com left intact

最后转移的地方f1.cdn-now.com就是博彩网站。

而 CNNIC 提供的 DNS 一切正常：

$ dig tinypng.com @1.2.4.8 ; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com @1.2.4.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52271 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tinypng.com. IN A ;; ANSWER SECTION: tinypng.com. 387 IN A 35.190.0.251 ;; AUTHORITY SECTION: tinypng.com. 8633 IN NS ns-cloud-b3.googledomains.com. tinypng.com. 8633 IN NS ns-cloud-b1.googledomains.com. tinypng.com. 8633 IN NS ns-cloud-b4.googledomains.com. tinypng.com. 8633 IN NS ns-cloud-b2.googledomains.com. ;; ADDITIONAL SECTION: ns-cloud-b1.googledomains.com. 300721 IN A 216.239.32.107 ns-cloud-b2.googledomains.com. 130538 IN A 216.239.34.107 ns-cloud-b3.googledomains.com. 339744 IN A 216.239.36.107 ns-cloud-b4.googledomains.com. 329586 IN A 216.239.38.107 ns-cloud-b1.googledomains.com. 325725 IN AAAA 2001:4860:4802:32::6b ns-cloud-b2.googledomains.com. 325368 IN AAAA 2001:4860:4802:34::6b ns-cloud-b3.googledomains.com. 327608 IN AAAA 2001:4860:4802:36::6b ns-cloud-b4.googledomains.com. 341665 IN AAAA 2001:4860:4802:38::6b ;; Query time: 4 msec ;; SERVER: 1.2.4.8#53(1.2.4.8) ;; WHEN: 四 5 月 09 12:09:24 CST 2019 ;; MSG SIZE rcvd: 350

2 条回复

happyeveryday

2019-05-09 15:52:06 +08:00

上海移动自有 dns 污染去菠菜网站？想想就不会是官方行为...

geekvcn

2019-05-18 12:29:30 +08:00

全国移动都是墙中墙，加上劫持 53 端口 UDP