Curious DNS name resolution problem

Hi,

I'm experiencing a really odd situation with my Sophos XG Home.

When I try to resolve google.com it resolves to 123.123.12.123

Which is owned by China Unicom Beijing province network.

When it's resolving to this, I'm unable to access Google services.

 

I've my Sophos XG DNS forwarders to (I'm not using my ISP DNS):

1.1.1.1

8.8.8.8

8.8.4.4

 

I have a samba server running inside my network, when I resolve against this, I resolve to a "normal" Google address and I can access Google services again.

My samba server is using just a single DNS forwarder:

1.1.1.1

 

I'm also seeing a couple of service providers referencing this IP address in their documentation:

https://fastdot.com.au/mydns-manager/

https://kinsta.com/knowledgebase/how-to-use-sftp/

Even a Google Patents page:

https://patents.google.com/patent/WO2004006112A1/en

 

So, I'm really confused as to why this is happening. It's like there's a static entry somewhere in the Sophos XG that redirects name resolution to 123.123.12.123, or the upstream name servers are "doing something" to return 123.123.12.123 instead.

 

Has anyone seen anything like this? Or am I just being unlucky and/or paranoid?

 

Cheers,

Paul

  • Hi Paul,

    are you located in China? Today DNS can be used as a common term for different technologies. I don’t know but is your samba server using classic DNS at port 53 or maybe DNS over TLS ? I don’t know exactly how such redirects are done in some countries but normal DNS could be altered I think. Possible with a DNAT one could do that by yourself for your network.

    Best regards 

    Alex 

  • In reply to Alexander Busch:

    Thanks for responding, Alex.

    Sorry, I should have said where I am. No, I'm not in China. I'm in Australia.

    I'm just using Classic DNS over udp/53, no TLS (or even HTTPS).

    It doesn't happen all the time, but when it does happen it weirds me out.

    Many of the large DNS providers using various technologies (and brandings) to provide geo-located DNS specific results. The idea is to provide the physically closest endpoint to you, so you get a faster response and better experience.

    Some use things like the AnyCast DNS protocol
    https://en.wikipedia.org/wiki/Anycast

     

    So, this got me thinking that maybe my upstream DNS forwarders thought I was in China and provided me DNS results accordingly. Which is quite odd.

    It's about all I can put it down to right now.

     

    Cheers,

    Paul

  • In reply to Paul Macdonnell1:

    Hi,

    1. Check with a computer, manually add DNS 8.8.8.8 and 4.4.4.4. If it works fine change the DNS in Sophos to 8.8.8.8 and 4.4.4.4. These DNS are working fine in my computer.

    2. If you have the issue in only one computer, it can be a malware in that computer

    3. As Alex said, check your DNAT settings, is there anything done by mistake ?

  • In reply to Jose S:

    Hi Jose,

    My DNS forwarders in the XG are already set to:

    8.8.8.8

    8.8.4.4

    1.1.1.1

     

    The computer I was seeing this behaviour on is a Linux computer. Certainly not impervious to Malware (or other infections), but less likely.

    Looking over my DNAT, I couldn't see anything out of the ordinary, or anything that might suggest an incorrect setting.

     

    It was just really strange, I couldn't find anything to suggest where the change might be coming from.

     

    I've since changed ISP's (for other reasons) and I haven't had the same problem since. Albeit it's only been a couple of days since changing ISP. I'll keep an eye out for it changing again.

     

    Thanks for all your help looking into this one with me.

     

    Cheers,

    Paul

  • In reply to Paul Macdonnell1:

    RBL filtering (specifically *.spamhaus.org, but probably others) will not work if you are using DNS forwarders. 

    If you are using root hints and ending up on a China server, recommend using dig / nslookup to investigate why.

  • Hi Paul,

    Hmmmm, I read recently about the Chinese military "accidentally" doing some BGP hijacking, so I wonder if you didn't get tripped up by that situation.

    Cheers - Bob
    PS  This is a UTM forum, so the answers are generic, but you will want to post in an XG forum when the question is XG-dependent.