4

Local Lookups Hijacked

I have confirmed this behavior on multiple machines on my LAN and with other NextDNS users on their own networks.

Local hostname lookups are not returning the correct LAN ip but are instead returning 72.52.178.23 which appears to be part of Parklogic. In a browser, the requests are hijacked and redirected to simcast.com.

8 replies

null
    • Stephen_Thompson
    • 10 mths ago
    • Reported - view

    Seeing exactly the same issue.

    • Gordon_Freeman
    • 10 mths ago
    • Reported - view

    How is this still happening? Why haven't they replied yet?

    • NextDNs
    • 10 mths ago
    • Reported - view

    Do you have a dig output? What TLD is the impacted domain using?

      • owine
      • 10 mths ago
      • Reported - view

      NextDNS Here is some dig output. There are other reports and more details in this Reddit post I opened. https://www.reddit.com/r/nextdns/comments/13orh9i/local_dns_requests_hijacked/

      ➜  ~ dig test.testerone
      
      ; <<>> DiG 9.10.6 <<>> test.testerone
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31939
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;test.testerone.            IN    A
      
      ;; ANSWER SECTION:
      test.testerone.        5    IN    A    72.52.178.23
      
      ;; Query time: 170 msec
      ;; SERVER: 10.17.89.1#53(10.17.89.1)
      ;; WHEN: Wed May 24 16:47:03 CDT 2023
      ;; MSG SIZE  rcvd: 59

      EDIT: The resolver is the nextdns cli client running on a UDM Pro.

      • Gordon_Freeman
      • 10 mths ago
      • Reported - view

      Oliver Wine 

       

      dig xxxxxxxxxxxxxxx
      ; <<>> DiG 9.10.6 <<>> xxxxxxxxxxxxxxx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34716
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;xxxxxxxxxxxxxxx.        IN    A
      ;; ANSWER SECTION:
      xxxxxxxxxxxxxxx.    14308    IN    A    72.52.178.23
      ;; Query time: 20 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Thu May 25 00:54:28 CEST 2023
      ;; MSG SIZE  rcvd: 60
      

       

      dig abcde.com.tr.dfgh
      
      ; <<>> DiG 9.10.6 <<>> abcde.com.tr.dfgh
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4383
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;abcde.com.tr.dfgh.        IN    A
      ;; ANSWER SECTION:
      abcde.com.tr.dfgh.    14400    IN    A    72.52.178.23
      ;; Query time: 555 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Thu May 25 00:55:08 CEST 2023
      ;; MSG SIZE  rcvd: 62
      
      dig xx
      
      ; <<>> DiG 9.10.6 <<>> xx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23762
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;xx.                IN    A
      ;; ANSWER SECTION:
      xx.            14318    IN    A    72.52.178.23
      ;; Query time: 90 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Thu May 25 00:59:00 CEST 2023
      ;; MSG SIZE  rcvd: 47
      
      dig xxx
      
      ; <<>> DiG 9.10.6 <<>> xxx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24409
      ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;xxx.                IN    A
      ;; AUTHORITY SECTION:
      xxx.            509    IN    SOA    a.nic.xxx. admin.tldns.godaddy. 1684957804 1800 300 604800 1800
      ;; Query time: 96 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Thu May 25 00:59:26 CEST 2023
      ;; MSG SIZE  rcvd: 93
      
      dig xxxx
      
      ; <<>> DiG 9.10.6 <<>> xxxx
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14275
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;xxxx.                IN    A
      ;; ANSWER SECTION:
      xxxx.            13978    IN    A    72.52.178.23
      ;; Query time: 87 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Thu May 25 00:59:46 CEST 2023
      ;; MSG SIZE  rcvd: 49
      

      real TLDs and nxdomains at real TLDs don't seem affected. it seems to only hijack no-existing tlds

      • NextDNs
      • 10 mths ago
      • Reported - view

      Gordon Freeman please try disabling the web3 feature in the settings

      • Gordon_Freeman
      • 10 mths ago
      • Reported - view

      NextDNS This seems to work, thanks!

      • owine
      • 10 mths ago
      • Reported - view

      NextDNS This fixed it for me as well. Thank you!

Content aside

  • 4 Likes
  • 10 mths agoLast active
  • 8Replies
  • 215Views
  • 6 Following