V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
jackmod
V2EX  ›  宽带症候群

上海移动之 DNS 污染

  •  
  •   jackmod · 2019-05-09 12:40:21 +08:00 · 3722 次点击
    这是一个创建于 2058 天前的主题,其中的信息可能已经有所发展或是发生改变。

    之前一直用运营商的 DNS:211.136.150.66

    发现不少冷门网站都会出现 SSL 错误,NET::ERR_CERT_COMMON_NAME_INVALID,用来劫持的域名为*.cdn-now.com

    用 dig 查询其中一个网站的结果:

    $ dig tinypng.com
    
    ; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40064
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 65494
    ;; QUESTION SECTION:
    ;tinypng.com.			IN	A
    
    ;; ANSWER SECTION:
    tinypng.com.		784	IN	A	58.216.111.27
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.53#53(127.0.0.53)
    ;; WHEN: 四 5 月 09 12:09:11 CST 2019
    ;; MSG SIZE  rcvd: 56
    

    查询其他网站也同样指向58.216.111.27

    域名指向这个 IP 的结果是这样的:

    $ curl --insecure -v https://tinypng.com
    ...
    ...
    * Expire in 1 ms for 1 (transfer 0x5565723305c0)
    * Expire in 2 ms for 1 (transfer 0x5565723305c0)
    *   Trying 58.216.111.27...
    * TCP_NODELAY set
    * Expire in 200 ms for 4 (transfer 0x5565723305c0)
    * Connected to tinypng.com (58.216.111.27) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: none
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=*.cdn-now.com
    *  start date: Apr 16 03:50:48 2019 GMT
    *  expire date: Jul 15 03:50:48 2019 GMT
    *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: tinypng.com
    > User-Agent: curl/7.64.0
    > Accept: */*
    > 
    < HTTP/1.1 200 OK
    < Server: nginx
    < Date: Thu, 09 May 2019 04:06:18 GMT
    < Content-Type: text/html; charset=utf-8
    < Content-Length: 787
    < Last-Modified: Mon, 29 Apr 2019 03:34:06 GMT
    < Connection: keep-alive
    < ETag: "5cc670ae-313"
    < Accept-Ranges: bytes
    < 
    <!DOCTYPE html>
    <html><head><title></title>
    <link rel="dns-prefetch" href="//s96.cnzz.com" />
    <link rel="dns-prefetch" href="//z2.cnzz.com" />
    <link rel="dns-prefetch" href="//jserr.cnzz.com" />
    <link rel="dns-prefetch" href="//c.cnzz.com" />
    <link rel="dns-prefetch" href="//ei.cnzz.com" />
    <link rel="dns-prefetch" href="//ca.cnzz.com" />
    <link rel="dns-prefetch" href="//f1.cdn-now.com" />
    </head>
    <body>
    <script>
    function rndStr(len) {
    len = len || 6;
    var $chars = '0123456789abcdefghijklmnopqrstuvwxyz';
    var maxPos = $chars.length;
    var pwd = '';
    for (i = 0; i < len; i++) {
    pwd += $chars.charAt(Math.floor(Math.random() * maxPos));
    }
    return pwd;
    }
    var rnd1 = rndStr(6);
    var rnd2 = rndStr(12);
    window.location.href="https://f1.cdn-now.com/?"+rnd1+"="+rnd2;
    </script>
    </body>
    </html>
    * Connection #0 to host tinypng.com left intact
    

    最后转移的地方f1.cdn-now.com就是​博​彩​网站。

    而 CNNIC 提供的 DNS 一切正常:

    $ dig tinypng.com @1.2.4.8
    
    ; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com @1.2.4.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52271
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;tinypng.com.			IN	A
    
    ;; ANSWER SECTION:
    tinypng.com.		387	IN	A	35.190.0.251
    
    ;; AUTHORITY SECTION:
    tinypng.com.		8633	IN	NS	ns-cloud-b3.googledomains.com.
    tinypng.com.		8633	IN	NS	ns-cloud-b1.googledomains.com.
    tinypng.com.		8633	IN	NS	ns-cloud-b4.googledomains.com.
    tinypng.com.		8633	IN	NS	ns-cloud-b2.googledomains.com.
    
    ;; ADDITIONAL SECTION:
    ns-cloud-b1.googledomains.com. 300721 IN A	216.239.32.107
    ns-cloud-b2.googledomains.com. 130538 IN A	216.239.34.107
    ns-cloud-b3.googledomains.com. 339744 IN A	216.239.36.107
    ns-cloud-b4.googledomains.com. 329586 IN A	216.239.38.107
    ns-cloud-b1.googledomains.com. 325725 IN AAAA	2001:4860:4802:32::6b
    ns-cloud-b2.googledomains.com. 325368 IN AAAA	2001:4860:4802:34::6b
    ns-cloud-b3.googledomains.com. 327608 IN AAAA	2001:4860:4802:36::6b
    ns-cloud-b4.googledomains.com. 341665 IN AAAA	2001:4860:4802:38::6b
    
    ;; Query time: 4 msec
    ;; SERVER: 1.2.4.8#53(1.2.4.8)
    ;; WHEN: 四 5 月 09 12:09:24 CST 2019
    ;; MSG SIZE  rcvd: 350
    
    happyeveryday
        1
    happyeveryday  
       2019-05-09 15:52:06 +08:00
    上海移动自有 dns 污染去菠菜网站?想想就不会是官方行为...
    geekvcn
        2
    geekvcn  
       2019-05-18 12:29:30 +08:00
    全国移动都是墙中墙,加上劫持 53 端口 UDP
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1399 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 19ms · UTC 17:29 · PVG 01:29 · LAX 09:29 · JFK 12:29
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.