Search.dnsadvantage.com

silverdr · October 13, 2020, 12:40pm

When resolving for example ‘privateinternetaccess.com’ 1.1.1.1 returns:

> privateinternetaccess.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: privateinternetaccess.com
Address: 172.227.168.130

which leads to the old scammers as in the subject. For the same query 8.8.8.8 returns:

> privateinternetaccess.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: privateinternetaccess.com
Address: 104.89.43.23

which looks legit and works. <unserious> Has anyone at Cloudflare installed “DNSAdvantage” on their Windows and infected the the whole DNS service? </unserious> Seriously though - that looks like a glaring security issue, doesn’t it?

cscharff · October 13, 2020, 1:44pm

Wut?

silverdr · October 13, 2020, 1:55pm

I take this is something along the “please elaborate more” lines (correct me if I am wrong) so I try rephrase. When having 1.1.1.1 set as DNS on duty and trying to access the site under the name I provided (privateinternetaccess.com - there’s more but this one noticed again recently) I get very correctly a security warning from the browser. Checking details shows that this is due to the old “search.dnsadvantage.com” playing its MiTM trick. Changing DNS from 1.1.1.1 to 8.8.8.8 solves the problem in the sense that I get the correct site returned. Checking resolving responses from the two servers shows the reason: 8.8.8.8 resolves to a different IP address (presumably correct one) and 1.1.1.1 resolves to an IP address apparently serving the scammers.

cscharff · October 13, 2020, 3:13pm

dig privateinternetaccess.com @1.1.1.1 +short
23.6.130.186

dig privateinternetaccess.com @8.8.8.8 +short
23.60.118.12

This site appears to use geolocation in it’s DNS responses. Since 1.1.1.1 doesn’t send client subnet to maintain user privacy it is common to receive different answers from other DNS providers which may send this data. I can’t speak to how or why you received a security warning.

Both those IPs resolve to what look like Akamai based IPs, so perhaps you have a piece of software or plugin which is detecting an issue (incorrectly?)

dig -x 104.89.43.23 +short
a104-89-43-23.deploy.static.akamaitechnologies.com.
dig -x 172.227.168.130 +short
a172-227-168-130.deploy.static.akamaitechnologies.com.

silverdr · October 13, 2020, 3:49pm

I received it because I was directed to an IP address, which served dnsadvantage.com instead of what was requested through canonical name and therefore CN in the SSL certificate (although valid otherwise) didn’t match. I tried to find authoritative server and I could get only as far as cloudflare. This leads me to suspect that at least one of the entries is “tainted”

silverdr · October 13, 2020, 3:54pm

OTOH it theoretically might be a hacked server of theirs too, I guess. Do you have a way to verify the IP I gave in my first post?

cscharff · October 13, 2020, 4:25pm

They would need to validate it, but that IP address returns their certificate when curled…

curl -Iv https://privateinternetaccess.com --resolve privateinternetaccess.com:443:172.227.168.130
* Added privateinternetaccess.com:443:172.227.168.130 to DNS cache
* Hostname privateinternetaccess.com was found in DNS cache
*   Trying 172.227.168.130:443...
* TCP_NODELAY set
* Connected to privateinternetaccess.com (172.227.168.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=Colorado; L=Denver; O=London Trust Media Incorporated; CN=*.privateinternetaccess.com
*  start date: Feb  7 23:52:13 2020 GMT
*  expire date: Feb 23 14:15:01 2021 GMT
*  subjectAltName: host "privateinternetaccess.com" matched cert's "privateinternetaccess.com"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com

silverdr · October 13, 2020, 4:35pm

I see, thank you. Alerted them too.