Issues with name resolution for 1drv.ms on Spark DNS server

Forums › Spark New Zealand › Issues with name resolution for 1drv.ms on Spark DNS server

wsnz

570 posts

Ultimate Geek
+1 received by user: 144

Topic # 240203 26-Aug-2018 10:49

Has anyone noticed issues with resolving the 1drv.ms domain using the Spark [Xtra] DNS servers 122.56.237.1 and 210.55.111.1? External DNS servers resolve the name without an issue. As a test I've tried three different Spark-connected Xtra-DNS using connections and all had the same issue.

1 | 2

4329 posts

Uber Geek
+1 received by user: 93

Moderator

Trusted

Lifetime subscriber

Reply # 2079343 26-Aug-2018 11:05

Same problem here on my Spark VDSL and Skinny mobile connections.

DjShadow

2780 posts

Uber Geek
+1 received by user: 434

Trusted

Reply # 2079345 26-Aug-2018 11:21

Same for Spark Fibre

sonyxperiageek

2572 posts

Uber Geek
+1 received by user: 306

Trusted

Reply # 2079393 26-Aug-2018 15:32

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

Sony

NZ TechBlog | A bit about me | Follow me on Twitter | My Geekzone blog

Linux

4240 posts

Uber Geek
+1 received by user: 2425

Trusted

Lifetime subscriber

Reply # 2079394 26-Aug-2018 15:34

@hio77 Maybe he can add some value

John

Talkiet

3978 posts

Uber Geek
+1 received by user: 2672

Trusted

Spark NZ

Reply # 2079419 26-Aug-2018 17:10

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

sonyxperiageek

2572 posts

Uber Geek
+1 received by user: 306

Trusted

Reply # 2079421 26-Aug-2018 17:15

Talkiet:

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

But either way, i can't get to any site with your main DNS servers.

Sony

NZ TechBlog | A bit about me | Follow me on Twitter | My Geekzone blog

Talkiet

3978 posts

Uber Geek
+1 received by user: 2672

Trusted

Spark NZ

Reply # 2079423 26-Aug-2018 17:24

sonyxperiageek:

Talkiet:

sonyxperiageek:

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

Cheers - N

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

But either way, i can't get to any site with your main DNS servers.

Heh... Despite being 99% sure, your comment was dramatic enough to make me log in and check some basic basic stats.

BB traffic is unchanged from last sunday at this time and there's no drop... And DNS queries are unchanged...

Yes, I have cut off the scale deliberately.

There are also no changes in distribution of Rcodes etc...

So it's likely very isolated if you can't get resolution for any sites using our DNS servers then it's certainly not a widespread issue... Have you verified with nslookup to 210.55.111.1 or 122.56.237.1 ?

Cheers - N

sonyxperiageek

2572 posts

Uber Geek
+1 received by user: 306

Trusted

Reply # 2079449 26-Aug-2018 19:16

I think our Mikrotiks may have been hacked. There was a bunch of DNS statics pointing to one IP address with lots of different names pointing to ethereum mining etc....

The first Trace Route was with those DNS statics on, the second with it deleted.

Tracing route to trademe.co.nz [185.206.144.149]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 19 ms 18 ms 18 ms mdr-ip24-int.msc.global-gateway.net.nz [122.56.116.6]
4 18 ms 18 ms 18 ms ae8-10.akbr6.global-gateway.net.nz [122.56.116.5]
5 18 ms 18 ms 18 ms ae7-2.akbr7.global-gateway.net.nz [122.56.119.53]
6 19 ms 19 ms 19 ms ae10-10.tkbr12.global-gateway.net.nz [202.50.232.29]
7 142 ms 142 ms 145 ms xe8-0-2-0.lebr7.global-gateway.net.nz [210.55.202.194]
8 147 ms 148 ms 147 ms ae3-10.sjbr3.global-gateway.net.nz [122.56.127.25]
9 151 ms 151 ms 151 ms ae0.pabr5.global-gateway.net.nz [203.96.120.74]
10 148 ms 148 ms 148 ms palo-b1-link.telia.net [62.115.145.204]
11 335 ms 335 ms 335 ms nyk-bb4-link.telia.net [62.115.122.37]
12 334 ms 334 ms 334 ms prs-bb4-link.telia.net [80.91.251.101]
13 334 ms 334 ms 334 ms ffm-bb4-link.telia.net [62.115.122.139]
14 309 ms 309 ms 309 ms win-bb2-link.telia.net [62.115.133.78]
15 330 ms 330 ms 330 ms sfia-b2-link.telia.net [62.115.135.31]
16 321 ms 322 ms 323 ms belcloud-ic-327742-sfia-b2.c.telia.net [62.115.55.9]
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 Transmit error: code 1231.

Trace complete.

C:\>tracert trademe.co.nz

Tracing route to trademe.co.nz [202.162.73.2]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 * 18 ms 18 ms mdr-ip24-dom.msc.global-gateway.net.nz [122.56.116.10]
4 18 ms 18 ms 18 ms ae8-20.akcr11.global-gateway.net.nz [122.56.116.9]
5 19 ms 19 ms 19 ms ae10-44.tkcr5.global-gateway.net.nz [122.56.127.210]
6 21 ms 21 ms 21 ms trade-me-dom.tkcr5.global-gateway.net.nz [122.56.118.38]
7 21 ms 21 ms 21 ms 203.57.145.139
8 20 ms 20 ms 20 ms www.trademe.co.nz [202.162.73.2]

Trace complete.

Sony

NZ TechBlog | A bit about me | Follow me on Twitter | My Geekzone blog

Talkiet

3978 posts

Uber Geek
+1 received by user: 2672

Trusted

Spark NZ

Reply # 2079451 26-Aug-2018 19:22

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

hio77

'That VDSL Cat'
9690 posts

Uber Geek
+1 received by user: 2247

Trusted

Spark

Subscriber

Reply # 2079468 26-Aug-2018 20:28

I had one isolated example of this passed through to me late last week (i don't run front lines so i only hear from those who know me well)

Was awaiting their IT company to come back with valid tests as on my personal connections it's fine.

I do have to echo neils question, Has anyone raised it with the helpdesk?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

sonyxperiageek

2572 posts

Uber Geek
+1 received by user: 306

Trusted

Reply # 2079475 26-Aug-2018 20:47

Talkiet:
Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

No idea at the moment.

Sony

NZ TechBlog | A bit about me | Follow me on Twitter | My Geekzone blog

sbiddle

27573 posts

Uber Geek
+1 received by user: 7034

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 2079482 26-Aug-2018 21:13

3 people support this post

Talkiet:
Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

wsnz

570 posts

Ultimate Geek
+1 received by user: 144

Reply # 2079484 26-Aug-2018 21:19

One person supports this post

A CPE Mikrotik exploit with static routes, isn't the cause of the issue in my case.

The separate connections tested have a Huawei H659B, an Edgerouter Lite and a Mikrotik (respectively) and all are reporting the same inability to resolve the 1drv.ms domain.

Now that I know it's not just me, I'll follow this up with the Spark helpdesk shortly. Thanks checking on your connections!

sonyxperiageek

2572 posts

Uber Geek
+1 received by user: 306

Trusted

Reply # 2079492 26-Aug-2018 22:24

One person supports this post

sbiddle:
Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html

Sony

NZ TechBlog | A bit about me | Follow me on Twitter | My Geekzone blog

sbiddle

27573 posts

Uber Geek
+1 received by user: 7034

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 2079504 27-Aug-2018 07:08

sonyxperiageek:

sbiddle:
Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

Cheers - N

A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html

That's just a side consequence of the exploit which that has been written about extensively and Mikrotik have sent so many emails out about. I wrote about months ago https://www.geekzone.co.nz/sbiddle/8978

Basically if you have a router that's pre 6.40.6 or 6.42.1 and it has port 80 or port 8291 winbox access open either locally or via the internet and that this isn't heavily locked to down source IP ranges it will be hacked. Guaranteed.

This latest hack is just smart hackers using this security exploit to enable crypto mining.

1 | 2