DNS hijack again

We had a customer just call who is having trouble connecting to our web site westerndepot.com and gets site cannot be reached and it shows an IP address of 75.111.13.52 which is NOT the correct IP address for our web server. He said that he uses Suddenlink for his internet service. The DNS settings we have with Cloudflare have not been changed (I just checked) so I know that is not the problem.

I can see there is an issue with the SSL certificate for your website like it’s from Huawei Technologies Co., Ltd?

Redirecting me to the IP:port → Huawei router EG8145V5 (HTTP only)

I can see westerndepot.com is proxied, as far as it returns Cloudflare IP on DIG command.

Therefore, DNSSEC enabled for domain.

I assume it’s true for me, firstly I loaded your website but with NS_BINDING_ERROR for the resources.

Nevertheless, after I hit refresh, I got as above described.

UPDATE:
Interesting, it returns my own IP when I check this??
I am using my local ISP provider which get’s its IPs from Cogent and has a peer with the other ASN which has got peer with NetIX which has Cloudflare connection.

I am not sure if this is Cloudflare related, or rather my ISP issue and your customer’s ISP too. Very similar and interesting :thinking:

When I do traceroute to your website … I govo over my local ISP, to the internal network, then my country capital city cogentco.com, to Vienna cogentco, then to cloudflare.demarc.cogentco.com and ending IP is Cloudflare (the same as when using DIG).
But unaware what happens where and why do I get redirected to my own router IP? :thinking:

Kindly, I’d suggest you to write a ticket to Cloudflare support due to your account and/or domain issue and share the ticket number here with us so we could escalate this issue:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account
1 Like

75.111.13.52 is a Suddenlink IP address. Perhaps the user misspelled the DNS record or Suddenlink operates a helpful 'we’ll show you a search engine page if a DNS lookup fails for any reason).

Might suggest your customer use a different DNS provider. But when you have a DNS provider for your personal use who wants to monetize you as a customer fun things can happen.

1 Like

In my case, should I switch away from 1.1.1.1 then? :thinking:

Even if peering is not with Cloudflare on ISP level, neither the local ISP in the same colo/CIX vs using 1.1.1.1 as a DNS servers at device/network PC?

Intersting feedback to check with my ISP, if so.

Nope for my case.

1 Like

If you’re getting redirected to IP/port that’s an HTTP thing… so you’d want to look at the http requests that got you there I’d think.

1 Like

When I sniff my own network, I do see a HTTP 302 from Cloudflare IP:443 when I open https://westerndepot.com/ to my IP:port and then thrown SSL error from my router.

And same behaviour in:

  1. Firefox → using DoH Cloudflare
  2. Chrome → not using DoH

Eset NOD32 Internet Security installed.

Using 1.1.1.1/1.0.0.1 at Windows Control Panel → Network devices → ethernet adapter → custom DNS servers.

1 Like

So compromised origin server or something? Not DNS though yes?

1 Like

Interesting.

When I test using mobile phone and mobile network data (4G LTE), different ISP.

When I test normally, it loads fine.

But, the same issue occurs when I connect to Cloudflare WARP, as it again redirects me to the Mobile 4G LTE IP address with the SSL warning.

Some code which only fires when a users connects via IPv6?

IPv4 in both cases of mine.

When I test on my server, IPv4 and IPv6 when using 1.1.1.1 as a resolver, all good - via FRA colo.

Via mobile, FRA colo → but issue redirecting to IP.

Via desktop VIE colo → issue.

Via mobile + Cloudflare WARP - VIE → issue.

:thinking: