DNS Hijacking?


#1

It seems as though I am having an issue with you 1.1.1.1 DNS and the websites myetherwallet.com and mycrypto.com. There was a hack last week on the Google 8.8.8.8 that resolved those websites to a phishing site where they stole a whole lot of crypto money. Every time I try to access those websites using 1.1.1.1, I get SSL errors and warnings on my computer that says those sites are phishing sites. Google fixed the problem on their 8.8.8.8, but can you please confirm that 1.1.1.1 is not hacked for those sites as well? Is it possible that 1.1.1.1 was hijacked as well? Please let me know. Thank you.

–Very concerned


#2

Hi @scrap,

there was actually no hacking on Google’s Public DNS.

As for the domains you provided: I can reach them fine, without problems.

dig myetherwallet.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> myetherwallet.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48723
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;myetherwallet.com.		IN	A

;; ANSWER SECTION:
myetherwallet.com.	60	IN	A	54.230.202.6
myetherwallet.com.	60	IN	A	54.230.202.33
myetherwallet.com.	60	IN	A	54.230.202.47
myetherwallet.com.	60	IN	A	54.230.202.67
myetherwallet.com.	60	IN	A	54.230.202.76
myetherwallet.com.	60	IN	A	54.230.202.115
myetherwallet.com.	60	IN	A	54.230.202.233
myetherwallet.com.	60	IN	A	54.230.202.241

;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Apr 26 21:00:28 CEST 2018
;; MSG SIZE  rcvd: 174

Would you mind performing this?

-- Windows
nslookup myetherwallet.com
nslookup mycrypto.com
nslookup -class=chaos -type=txt id.server

-- UNIX (Linux/macOS)
dig myetherwallet.com
dig mycrypto.com
dig ch txt id.server 

#3

Interesting… I wonder why I can’t connect to these websites? Error shows as “An SSL protocol error occurred.” I don’t have any issues with any other SSL sites… just myetherwallet and mycrypto. Here is what you requested. Thanks for taking a look.


nslookup myetherwallet. com
Server: 1dot1dot1dot1.cloudflare-dns. com
Address: 2606:4700:4700::1111

Non-authoritative answer:
Name: myetherwallet. com
Addresses: 127.42.0.23
127.42.0.22
127.42.0.21
127.42.0.20
127.42.0.19
127.42.0.18
127.42.0.17
127.42.0.16


nslookup mycrypto. com
Server: 1dot1dot1dot1.cloudflare-dns. com
Address: 2606:4700:4700::1111

Non-authoritative answer:
Name: mycrypto. com
Addresses: 2600:9000:201b:800:d:cd42:e700:93a1
2600:9000:201b:1600:d:cd42:e700:93a1
2600:9000:201b:9c00:d:cd42:e700:93a1
2600:9000:201b:be00:d:cd42:e700:93a1
2600:9000:201b:ca00:d:cd42:e700:93a1
2600:9000:201b:d800:d:cd42:e700:93a1
2600:9000:201b:e200:d:cd42:e700:93a1
2600:9000:201b:f400:d:cd42:e700:93a1
13.33.35.74
13.33.35.102
13.33.35.130
13.33.35.136
13.33.35.143
13.33.35.144
13.33.35.211
13.33.35.250


nslookup -class=chaos -type=txt id.server
Server: 1dot1dot1dot1.cloudflare-dns. com
Address: 2606:4700:4700::1111

Non-authoritative answer:
id.server text =

    "ord02"

#4

I believe there might an issue there on their ORD (Chicago POP), those first IPs are loopbacks.

Would mind looking into it @cscharff, @ryan and @marty1? This is something I believe it’s on your end.

Mine, here on MXP are:

dig +short myetherwallet.com @1.1.1.1
54.192.27.25
54.192.27.64
54.192.27.79
54.192.27.183
54.192.27.203
54.192.27.245
54.192.27.250
54.192.27.251

dig +short mycrypto.com @1.1.1.1
54.230.202.37
54.230.202.59
54.230.202.80
54.230.202.100
54.230.202.167
54.230.202.181
54.230.202.210
54.230.202.244

#5

These two sites are working properly for me again using 1.1.1.1

Thank you for taking the time to get it fixed.


#6

This topic was automatically closed after 14 days. New replies are no longer allowed.