Issues with name resolution for 1drv.ms on Spark DNS server

Forums › Spark New Zealand (including Skinny and BigPipe) › Issues with name resolution for 1drv.ms on Spark DNS server

wsnz

649 posts

Ultimate Geek

#240203 26-Aug-2018 10:49

Has anyone noticed issues with resolving the 1drv.ms domain using the Spark [Xtra] DNS servers 122.56.237.1 and 210.55.111.1? External DNS servers resolve the name without an issue. As a test I've tried three different Spark-connected Xtra-DNS using connections and all had the same issue.

1 | 2

4973 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2079343 26-Aug-2018 11:05

Same problem here on my Spark VDSL and Skinny mobile connections.

DjShadow

4084 posts

Uber Geek

ID Verified

Trusted

#2079345 26-Aug-2018 11:21

Same for Spark Fibre

sonyxperiageek

2958 posts

Uber Geek

Trusted

#2079393 26-Aug-2018 15:32

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

Sony

Linux

11391 posts

Uber Geek

Trusted

Lifetime subscriber

#2079394 26-Aug-2018 15:34

@hio77 Maybe he can add some value

John

Talkiet

4792 posts

Uber Geek

Trusted

#2079419 26-Aug-2018 17:10

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

sonyxperiageek

2958 posts

Uber Geek

Trusted

#2079421 26-Aug-2018 17:15

Talkiet:

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

But either way, i can't get to any site with your main DNS servers.

Sony

Talkiet

4792 posts

Uber Geek

Trusted

#2079423 26-Aug-2018 17:24

sonyxperiageek:

Talkiet:

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

But either way, i can't get to any site with your main DNS servers.

Heh... Despite being 99% sure, your comment was dramatic enough to make me log in and check some basic basic stats.

BB traffic is unchanged from last sunday at this time and there's no drop... And DNS queries are unchanged...

Yes, I have cut off the scale deliberately.

There are also no changes in distribution of Rcodes etc...

So it's likely very isolated if you can't get resolution for any sites using our DNS servers then it's certainly not a widespread issue... Have you verified with nslookup to 210.55.111.1 or 122.56.237.1 ?

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

sonyxperiageek

2958 posts

Uber Geek

Trusted

#2079449 26-Aug-2018 19:16

I think our Mikrotiks may have been hacked. There was a bunch of DNS statics pointing to one IP address with lots of different names pointing to ethereum mining etc....

The first Trace Route was with those DNS statics on, the second with it deleted.

Tracing route to trademe.co.nz [185.206.144.149]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 19 ms 18 ms 18 ms mdr-ip24-int.msc.global-gateway.net.nz [122.56.116.6]
4 18 ms 18 ms 18 ms ae8-10.akbr6.global-gateway.net.nz [122.56.116.5]
5 18 ms 18 ms 18 ms ae7-2.akbr7.global-gateway.net.nz [122.56.119.53]
6 19 ms 19 ms 19 ms ae10-10.tkbr12.global-gateway.net.nz [202.50.232.29]
7 142 ms 142 ms 145 ms xe8-0-2-0.lebr7.global-gateway.net.nz [210.55.202.194]
8 147 ms 148 ms 147 ms ae3-10.sjbr3.global-gateway.net.nz [122.56.127.25]
9 151 ms 151 ms 151 ms ae0.pabr5.global-gateway.net.nz [203.96.120.74]
10 148 ms 148 ms 148 ms palo-b1-link.telia.net [62.115.145.204]
11 335 ms 335 ms 335 ms nyk-bb4-link.telia.net [62.115.122.37]
12 334 ms 334 ms 334 ms prs-bb4-link.telia.net [80.91.251.101]
13 334 ms 334 ms 334 ms ffm-bb4-link.telia.net [62.115.122.139]
14 309 ms 309 ms 309 ms win-bb2-link.telia.net [62.115.133.78]
15 330 ms 330 ms 330 ms sfia-b2-link.telia.net [62.115.135.31]
16 321 ms 322 ms 323 ms belcloud-ic-327742-sfia-b2.c.telia.net [62.115.55.9]
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 Transmit error: code 1231.

Trace complete.

C:\>tracert trademe.co.nz

Tracing route to trademe.co.nz [202.162.73.2]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 * 18 ms 18 ms mdr-ip24-dom.msc.global-gateway.net.nz [122.56.116.10]
4 18 ms 18 ms 18 ms ae8-20.akcr11.global-gateway.net.nz [122.56.116.9]
5 19 ms 19 ms 19 ms ae10-44.tkcr5.global-gateway.net.nz [122.56.127.210]
6 21 ms 21 ms 21 ms trade-me-dom.tkcr5.global-gateway.net.nz [122.56.118.38]
7 21 ms 21 ms 21 ms 203.57.145.139
8 20 ms 20 ms 20 ms www.trademe.co.nz [202.162.73.2]

Trace complete.

Sony

Talkiet

4792 posts

Uber Geek

Trusted

#2079451 26-Aug-2018 19:22

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2079468 26-Aug-2018 20:28

I had one isolated example of this passed through to me late last week (i don't run front lines so i only hear from those who know me well)

Was awaiting their IT company to come back with valid tests as on my personal connections it's fine.

I do have to echo neils question, Has anyone raised it with the helpdesk?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

sonyxperiageek

2958 posts

Uber Geek

Trusted

#2079475 26-Aug-2018 20:47

Talkiet:
Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

No idea at the moment.

Sony

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2079482 26-Aug-2018 21:13

Talkiet:
Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

wsnz

649 posts

Ultimate Geek

#2079484 26-Aug-2018 21:19

A CPE Mikrotik exploit with static routes, isn't the cause of the issue in my case.

The separate connections tested have a Huawei H659B, an Edgerouter Lite and a Mikrotik (respectively) and all are reporting the same inability to resolve the 1drv.ms domain.

Now that I know it's not just me, I'll follow this up with the Spark helpdesk shortly. Thanks checking on your connections!

sonyxperiageek

2958 posts

Uber Geek

Trusted

#2079492 26-Aug-2018 22:24

sbiddle:
Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html

Sony

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2079504 27-Aug-2018 07:08

sonyxperiageek:

sbiddle:
Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html

That's just a side consequence of the exploit which that has been written about extensively and Mikrotik have sent so many emails out about. I wrote about months ago https://www.geekzone.co.nz/sbiddle/8978

Basically if you have a router that's pre 6.40.6 or 6.42.1 and it has port 80 or port 8291 winbox access open either locally or via the internet and that this isn't heavily locked to down source IP ranges it will be hacked. Guaranteed.

This latest hack is just smart hackers using this security exploit to enable crypto mining.

1 | 2