之前一直用运营商的 DNS:211.136.150.66
。
发现不少冷门网站都会出现 SSL 错误,NET::ERR_CERT_COMMON_NAME_INVALID
,用来劫持的域名为*.cdn-now.com
。
用 dig 查询其中一个网站的结果:
$ dig tinypng.com
; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40064
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;tinypng.com. IN A
;; ANSWER SECTION:
tinypng.com. 784 IN A 58.216.111.27
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: 四 5 月 09 12:09:11 CST 2019
;; MSG SIZE rcvd: 56
查询其他网站也同样指向58.216.111.27
。
域名指向这个 IP 的结果是这样的:
$ curl --insecure -v https://tinypng.com
...
...
* Expire in 1 ms for 1 (transfer 0x5565723305c0)
* Expire in 2 ms for 1 (transfer 0x5565723305c0)
* Trying 58.216.111.27...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5565723305c0)
* Connected to tinypng.com (58.216.111.27) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=*.cdn-now.com
* start date: Apr 16 03:50:48 2019 GMT
* expire date: Jul 15 03:50:48 2019 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: tinypng.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 09 May 2019 04:06:18 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 787
< Last-Modified: Mon, 29 Apr 2019 03:34:06 GMT
< Connection: keep-alive
< ETag: "5cc670ae-313"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html><head><title></title>
<link rel="dns-prefetch" href="//s96.cnzz.com" />
<link rel="dns-prefetch" href="//z2.cnzz.com" />
<link rel="dns-prefetch" href="//jserr.cnzz.com" />
<link rel="dns-prefetch" href="//c.cnzz.com" />
<link rel="dns-prefetch" href="//ei.cnzz.com" />
<link rel="dns-prefetch" href="//ca.cnzz.com" />
<link rel="dns-prefetch" href="//f1.cdn-now.com" />
</head>
<body>
<script>
function rndStr(len) {
len = len || 6;
var $chars = '0123456789abcdefghijklmnopqrstuvwxyz';
var maxPos = $chars.length;
var pwd = '';
for (i = 0; i < len; i++) {
pwd += $chars.charAt(Math.floor(Math.random() * maxPos));
}
return pwd;
}
var rnd1 = rndStr(6);
var rnd2 = rndStr(12);
window.location.href="https://f1.cdn-now.com/?"+rnd1+"="+rnd2;
</script>
</body>
</html>
* Connection #0 to host tinypng.com left intact
最后转移的地方f1.cdn-now.com
就是博彩网站。
而 CNNIC 提供的 DNS 一切正常:
$ dig tinypng.com @1.2.4.8
; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> tinypng.com @1.2.4.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52271
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tinypng.com. IN A
;; ANSWER SECTION:
tinypng.com. 387 IN A 35.190.0.251
;; AUTHORITY SECTION:
tinypng.com. 8633 IN NS ns-cloud-b3.googledomains.com.
tinypng.com. 8633 IN NS ns-cloud-b1.googledomains.com.
tinypng.com. 8633 IN NS ns-cloud-b4.googledomains.com.
tinypng.com. 8633 IN NS ns-cloud-b2.googledomains.com.
;; ADDITIONAL SECTION:
ns-cloud-b1.googledomains.com. 300721 IN A 216.239.32.107
ns-cloud-b2.googledomains.com. 130538 IN A 216.239.34.107
ns-cloud-b3.googledomains.com. 339744 IN A 216.239.36.107
ns-cloud-b4.googledomains.com. 329586 IN A 216.239.38.107
ns-cloud-b1.googledomains.com. 325725 IN AAAA 2001:4860:4802:32::6b
ns-cloud-b2.googledomains.com. 325368 IN AAAA 2001:4860:4802:34::6b
ns-cloud-b3.googledomains.com. 327608 IN AAAA 2001:4860:4802:36::6b
ns-cloud-b4.googledomains.com. 341665 IN AAAA 2001:4860:4802:38::6b
;; Query time: 4 msec
;; SERVER: 1.2.4.8#53(1.2.4.8)
;; WHEN: 四 5 月 09 12:09:24 CST 2019
;; MSG SIZE rcvd: 350
1
happyeveryday 2019-05-09 15:52:06 +08:00
上海移动自有 dns 污染去菠菜网站?想想就不会是官方行为...
|
2
geekvcn 2019-05-18 12:29:30 +08:00
全国移动都是墙中墙,加上劫持 53 端口 UDP
|