Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


494 posts

Ultimate Geek
+1 received by user: 116


Topic # 240203 26-Aug-2018 10:49
Send private message quote this post

Has anyone noticed issues with resolving the 1drv.ms domain using the Spark [Xtra] DNS servers 122.56.237.1 and 210.55.111.1? External DNS servers resolve the name without an issue. As a test I've tried three different Spark-connected Xtra-DNS using connections and all had the same issue.

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4270 posts

Uber Geek
+1 received by user: 74

Moderator
Trusted
Lifetime subscriber

  Reply # 2079343 26-Aug-2018 11:05
Send private message quote this post

Same problem here on my Spark VDSL and Skinny mobile connections.

2666 posts

Uber Geek
+1 received by user: 377

Trusted

  Reply # 2079345 26-Aug-2018 11:21
Send private message quote this post

Same for Spark Fibre


2501 posts

Uber Geek
+1 received by user: 293

Trusted

  Reply # 2079393 26-Aug-2018 15:32
Send private message quote this post

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.





3605 posts

Uber Geek
+1 received by user: 2001

Trusted
Lifetime subscriber

  Reply # 2079394 26-Aug-2018 15:34
Send private message quote this post

@hio77 Maybe he can add some value

 

John





Ex JohnR VodafoneNZ 17 years 4 days

3658 posts

Uber Geek
+1 received by user: 2178

Trusted
Spark NZ

  Reply # 2079419 26-Aug-2018 17:10
Send private message quote this post

sonyxperiageek:

 

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

 

 

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

 

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

 

Cheers - N


2501 posts

Uber Geek
+1 received by user: 293

Trusted

  Reply # 2079421 26-Aug-2018 17:15
Send private message quote this post

Talkiet:

 

sonyxperiageek:

 

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

 

 

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

 

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

 

Cheers - N

 

 

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

 

But either way, i can't get to any site with your main DNS servers.





3658 posts

Uber Geek
+1 received by user: 2178

Trusted
Spark NZ

  Reply # 2079423 26-Aug-2018 17:24
Send private message quote this post

sonyxperiageek:

 

Talkiet:

 

sonyxperiageek:

 

Same here on Spark at work, stopped working about 2 hours ago. Can't even ping both their DNS servers anymore.

 

 

You never could ICMP ping the main DNS servers... You can Tcping them on port 53 though...

 

As for not being able to see 1drv.ms.... I don't get resolution either - I wonder if anyone has told the helpdesk?

 

Cheers - N

 

 

Ah right. I was testing them against your Spark Digital customers' DNS servers which I could ICMP ping.

 

But either way, i can't get to any site with your main DNS servers.

 

 

Heh... Despite being 99% sure, your comment was dramatic enough to make me log in and check some basic basic stats.

 

BB traffic is unchanged from last sunday at this time and there's no drop... And DNS queries are unchanged...

 

 

Yes, I have cut off the scale deliberately.

 

There are also no changes in distribution of Rcodes etc...

 

So it's likely very isolated if you can't get resolution for any sites using our DNS servers then it's certainly not a widespread issue... Have you verified with nslookup to 210.55.111.1 or 122.56.237.1 ?

 

 

 

Cheers - N

 

 


2501 posts

Uber Geek
+1 received by user: 293

Trusted

  Reply # 2079449 26-Aug-2018 19:16
Send private message quote this post

I think our Mikrotiks may have been hacked. There was a bunch of DNS statics pointing to one IP address with lots of different names pointing to ethereum mining etc....

 

The first Trace Route was with those DNS statics on, the second with it deleted.

 

 

 

Tracing route to trademe.co.nz [185.206.144.149]
over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 19 ms 18 ms 18 ms mdr-ip24-int.msc.global-gateway.net.nz [122.56.116.6]
4 18 ms 18 ms 18 ms ae8-10.akbr6.global-gateway.net.nz [122.56.116.5]
5 18 ms 18 ms 18 ms ae7-2.akbr7.global-gateway.net.nz [122.56.119.53]
6 19 ms 19 ms 19 ms ae10-10.tkbr12.global-gateway.net.nz [202.50.232.29]
7 142 ms 142 ms 145 ms xe8-0-2-0.lebr7.global-gateway.net.nz [210.55.202.194]
8 147 ms 148 ms 147 ms ae3-10.sjbr3.global-gateway.net.nz [122.56.127.25]
9 151 ms 151 ms 151 ms ae0.pabr5.global-gateway.net.nz [203.96.120.74]
10 148 ms 148 ms 148 ms palo-b1-link.telia.net [62.115.145.204]
11 335 ms 335 ms 335 ms nyk-bb4-link.telia.net [62.115.122.37]
12 334 ms 334 ms 334 ms prs-bb4-link.telia.net [80.91.251.101]
13 334 ms 334 ms 334 ms ffm-bb4-link.telia.net [62.115.122.139]
14 309 ms 309 ms 309 ms win-bb2-link.telia.net [62.115.133.78]
15 330 ms 330 ms 330 ms sfia-b2-link.telia.net [62.115.135.31]
16 321 ms 322 ms 323 ms belcloud-ic-327742-sfia-b2.c.telia.net [62.115.55.9]
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 Transmit error: code 1231.

 

Trace complete.

 

C:\>tracert trademe.co.nz

 

Tracing route to trademe.co.nz [202.162.73.2]
over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms 192.168.48.1
2 * * * Request timed out.
3 * 18 ms 18 ms mdr-ip24-dom.msc.global-gateway.net.nz [122.56.116.10]
4 18 ms 18 ms 18 ms ae8-20.akcr11.global-gateway.net.nz [122.56.116.9]
5 19 ms 19 ms 19 ms ae10-44.tkcr5.global-gateway.net.nz [122.56.127.210]
6 21 ms 21 ms 21 ms trade-me-dom.tkcr5.global-gateway.net.nz [122.56.118.38]
7 21 ms 21 ms 21 ms 203.57.145.139
8 20 ms 20 ms 20 ms www.trademe.co.nz [202.162.73.2]

 

Trace complete.

 

 





3658 posts

Uber Geek
+1 received by user: 2178

Trusted
Spark NZ

  Reply # 2079451 26-Aug-2018 19:22
Send private message quote this post

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

 

 

 

Cheers - N


'That VDSL Cat'
8446 posts

Uber Geek
+1 received by user: 1816

Trusted
Spark
Subscriber

  Reply # 2079468 26-Aug-2018 20:28
Send private message quote this post

I had one isolated example of this passed through to me late last week (i don't run front lines so i only hear from those who know me well)

 

 

 

Was awaiting their IT company to come back with valid tests as on my personal connections it's fine.

 

I do have to echo neils question, Has anyone raised it with the helpdesk?

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


2501 posts

Uber Geek
+1 received by user: 293

Trusted

  Reply # 2079475 26-Aug-2018 20:47
Send private message quote this post

Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?


 


Cheers - N



No idea at the moment.




26936 posts

Uber Geek
+1 received by user: 6379

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2079482 26-Aug-2018 21:13
3 people support this post
Send private message quote this post

Talkiet:

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?


 


Cheers - N



A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.



494 posts

Ultimate Geek
+1 received by user: 116


  Reply # 2079484 26-Aug-2018 21:19
One person supports this post
Send private message quote this post

A CPE Mikrotik exploit with static routes, isn't the cause of the issue in my case.

 

The separate connections tested have a Huawei H659B, an Edgerouter Lite and a Mikrotik (respectively) and all are reporting the same inability to resolve the 1drv.ms domain.

 

Now that I know it's not just me, I'll follow this up with the Spark helpdesk shortly. Thanks checking on your connections!

 

 


2501 posts

Uber Geek
+1 received by user: 293

Trusted

  Reply # 2079492 26-Aug-2018 22:24
One person supports this post
Send private message quote this post

sbiddle:
Talkiet:

 

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

 

Cheers - N

 



A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

 

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html 





26936 posts

Uber Geek
+1 received by user: 6379

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2079504 27-Aug-2018 07:08
Send private message quote this post

sonyxperiageek:

 

sbiddle:
Talkiet:

 

Ergh! Thanks for the followup and tentative explanation. Any idea of the attack vector?

 

Cheers - N

 



A RouterOS exploit occurred last year and another one related appeared this year. They're will known issues.

 

Yes, it will have been this one then: https://thehackernews.com/2018/08/mikrotik-router-hacking.html 

 

 

That's just a side consequence of the exploit which that has been written about extensively and Mikrotik have sent so many emails out about. I wrote about months ago https://www.geekzone.co.nz/sbiddle/8978

 

Basically if you have a router that's pre 6.40.6 or 6.42.1 and it has port 80 or port 8291 winbox access open either locally or via the internet and that this isn't heavily locked to down source IP ranges it will be hacked. Guaranteed.

 

This latest hack is just smart hackers using this security exploit to enable crypto mining.

 

 

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.