Cloudflare Resolver redirecting bank to virus/scam websites


#1

Starting today, visiting tdameritrade.com is redirecting to virus/malware sites on every computer and phone that have been configured to use 1.1.1.1 for DNS resolution. As soon as I changed each system’s DNS to 8.8.8.8 (Google’s DNS service) and flushed the DNS cache, the issue was immediately resolved. Changing it back to 1.1.1.1 and tdameritrade again begins redirecting to virus sites.

I attempted to call Cloudflare.com to report this, but the phone message said I had to email cloudflare support. I then e-mailed, but the autoreply said I had to post Resolver issues here. I then tried to post, and it kept rejecting my post because “new users can only post x-number of links.” This obviously looks like a major security issue, and besides being shockingly unexpected from a service like this, Cloudflare is making it unnecessarily cumbersome to simply report.

Is 1.1.1.1 actually safe to use? Had I not discovered the issue before my less computer-literate family members, they likely would’ve fallen prey to one of the scam sites. Luckily I noticed it first, & was here to change all our systems back to an alternate DNS resolver service…


#3

Something hinky might be going on with www.tdameritrade.com, but it doesn’t have anything to do with 1.1.1.1.

Most of the nameservers produce:

www.tdameritrade.com.   300     IN      CNAME   rwd.tdameritrade.com.edgekey.net.
rwd.tdameritrade.com.edgekey.net. 21600 IN CNAME e3687.a.akamaiedge.net.
e3687.a.akamaiedge.net. 20      IN      A       23.73.147.104

One produces (among other nonsensical records):

www.tdameritrade.com.   604800  IN      A       190.2.150.129

The domain’s nameservers – or at least one version of them – are:

tdameritrade.com.  (insecure)  3600  NS  ns1.p50.dynect.net.
tdameritrade.com.  (insecure)  3600  NS  ns2.p50.dynect.net.
tdameritrade.com.  (insecure)  3600  NS  ns3.p50.dynect.net.
tdameritrade.com.  (insecure)  3600  NS  ns4.p50.dynect.net.
tdameritrade.com.  (insecure)  3600  NS  pdns151.ultradns.biz.
tdameritrade.com.  (insecure)  3600  NS  pdns151.ultradns.com.
tdameritrade.com.  (insecure)  3600  NS  pdns151.ultradns.net.
tdameritrade.com.  (insecure)  3600  NS  pdns151.ultradns.org.
tdameritrade.com.  (insecure)  3600  NS  halodesktop.tdameritrade.com.
tdameritrade.com.  (insecure)  3600  NS  nsglba-txtdameritrade.com.

Notice that the last one is a totally different domain. Maybe they got compromised, or made a mistake in their DNS records.

http://dnsviz.net/d/tdameritrade.com/W5FhzQ/dnssec/
http://dnsviz.net/d/www.tdameritrade.com/W5Fh1w/dnssec/


#4

The issue has been identified and we are investigating the root cause. We are also reaching out to the domain owner to gain more insight.


#5

I’d follow @mnordhoff ‘s finding.

The last nameserver is resolving anything else than the website. This is random. While 1.1.1.1, 8.8.8.8, my ISPs nameserver, and our resolvers at work seem to resolve correctly to a single IP, as well as the other nameservers for this domain.
The last one resolves to totally different IP addresses for *., www, web9 and one I don’t remember. Connecting to those IPs redirects you to a lot of different targets.

I had the results yesterday but someone flagged this thread and it was removed before I was able to reply. :frowning: