Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorlscx1740
    • CommentTimeDec 31st 2008 edited
     permalink
    Since the DNS Poisoning of China Unicom (Formerly China Netcom) can now OVERRIDE any DNS/Router settings, I must tell you this:

    My ISP is China Unicom (Formerly China Netcom), and I'm now using OpenDNS.

    These days, when I visit some sites that cannot be loaded, it no longer shows your good-looking "Site ... which is not loading" page, but this page from this address:

    http://60.209.30.206/index.html?url=(the address you entered)

    The title means "Sorry, the requested page cannot be loaded. It may be caused by network error or by other reasons."

    This is certain to be some kind of DNS poisoning, with ads and a lot of terrible stuffs.

    UPDATE: If the DNS poisoning attempt fails, it will become a page like this:

    http://60.209.30.206/proxy.html?e=73fa3fd98872b414zerWLeYl1w0vgmXlFxcvBw1lOx3vSBHrkBSwlr6r7wpvjCXnoehdwTYjVvhwyvH6Px3tqmHLTrlvLB1gs0lJjv1rK3SdHxHjkB3wv07f88Uqgv1Ubb0_rwOluzkWesXU4VpM63gr9VhqU81HXvn_txXl0ChCN4EUDUn

    UPDATE: Since today, as I live in Qingdao, China, it now occasionally makes an ad of Qingdao Police appear on the page and it can be closed. The address of this site I captured is:

    http://60.209.7.44/

    EDIT: I think adding these IP addresses into Adware or other categories may help.

    The DNS poisoning from my ISP started a very long time ago.

    One kind of DNS poisoning were just display an ad for a couple of seconds when you visit the first page after you connected to the net.

    The other kind of DNS poisoning used to be called as some kinds of domain correction systems, it actually redirects the error pages, but it didn't work very often, and it was able to circumvent it using your OpenDNS service.

    And now, I don't know how, since China Netcom has become an subsidiary of China Unicom, the DNS poisoning can now even OVERRIDE any DNS and router settings, including your OpenDNS. It may have done by using some unknown methods.

    At first I thought the OpenDNS updater has failed to update and relay my network settings, but soon I found I was wrong.

    I tried to filter these addresses both in LAN and WAN in my TP-LINK TL-R402, but it doesn't work. Before this, I tried to block these addresses in OpenDNS settings, but it still can be displayed, even I cleared the stored cache of the web browser. 127.0.0.1 these IP addresses in HOSTS cannot work either.

    Maybe you should look through these sites and find a way to circumvent it to prevent any possible malware from being distributed in this way. This is all I can tell you. I'll appreciate it.

    UPDATE: I traced the connections in netstat, and found the following things:
    - 60.209.30.206 at port 1062,1063,1065 are established as soon as I connected to the Internet, regardless of the firewall/router/DNS settings, and then a lot of connections from 60.209.30.206 at port 44080 will be processed.
    - The computer connects to 60.209.30.206 from port 44080 to several ports in the range of about 3000-6000, and even all the ports were blocked from this address, connection can still be established.
    - Some connections from 60.209.30.206:http are marked as SYN_SENT.
    - There are still a lot of unknown addresses, maybe they are also the reasons for this unblockable DNS poisoning attack, and all these connections above are established regardless of the firewall/router/DNS settings.
    • CommentAuthorlscx1740
    • CommentTimeJan 2nd 2009
     permalink
    Looks like no one is really noticing about this. And now I'll publish the entire page code of that DNS poisoning page.

    Here they are:

    Part 1:

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
    <title>抱歉,您输入的网页目前无法访问,可能是网络、网站或其他故障。</title>
    <link href="styles/ctrl.css" rel="stylesheet" type="text/css">
    <script src="/scripts/jquery-latest.js"></script>
    <script>
    var aurl='';
    $(document).ready(function(){
    var point = location.href.indexOf('?url=');
    aurl=location.href.substr(point+5,location.href.length);

    });
    function ClickCount(pram)
    {
    window.document.getElementById("count").src="http://60.209.30.206/adv/count/?type="+pram
    }
    </script>
    </head>
    <body>
    <div id="top">
    <div id="warn">
    <div class="title">

    <script language="javascript">
    if(navigator.appName == "Microsoft Internet Explorer")
    {
    document.write("Internet Explorer 无法显示该网页")
    }
    else {
    document.write("浏览器无法显示该网页")
    }
    </script>
    </div>
    <div id="sorry">抱歉,您输入的网页目前无法访问,可能是网络、网站或其他故障。</div>
    </div>
    <div id="tleft">


    <div class="gray1">
    <div id="hot">
    <div class="hot_title"><img src="/pic/arrow.gif" align="absmiddle"> 娱乐导航</div>

    <div id="hot_content">
    <iframe src="470x100/1119.html" width="100%" height="100" frameborder="0" scrolling="no"></iframe>
    </div>

    </div>

    </div>
    <div style="height:2px; float:left"></div>
    <div class="gray1">
    <div id="sugg">
    • CommentAuthorlscx1740
    • CommentTimeJan 2nd 2009 edited
     permalink
    Part 2:

    <div class="sugg_title"><img src="/pic/arrow.gif" align="absmiddle"> 我们建议您</div>
    <div class="sugg_content">
    <table width="90%" border="0" cellspacing="1" cellpadding="2" >
    <tr>
    <td align="left">1. <a href="javascript:location=aurl;" target="_top" style="color:#FF6600">重新连接站点</a></td>
    </tr>
    <tr>

    <td align="left"><table width="100%" border="0" align="left" cellpadding="0" cellspacing="0" >
    <form action="http://doopoop.cn/w/2/index.php" method="get"
    target="_top" onSubmit ="ClickCount('QD1209All')">
    <tr>
    <td width="130" align="left">2. 键入新的网站地址</td>
    <td align="left" valign="middle">
    <input type="text" name="key" maxlength="255" value="" class="sbi" /> <input type="image" class="sbb" value="" src="pic/btn_enter.gif" align="middle" />
    <input type="hidden" name="uid" value="10000101" />
    <input type="hidden" name="adid" value="1" /> </td>

    </tr>
    </form>
    <form action="http://doopoop.cn/w/2/index.php" method="get"
    target="_top" onSubmit="ClickCount('QD1209All')"><tr>
    <td align="left">3.<a href="http://doopoop.cn/w/2/?uid=1&adid=1&key=迪士尼" target="_top" onmousedown ="ClickCount('QD1209All')"><img src="/pic/logo_google_0708.gif" width="106" height="25" border="0" align="absmiddle" /></a></td>
    <td align="left" valign="middle"><input type="text" name="key" maxlength="255" value="" class="sbi" />
    <input type="submit" value="" class="sbb" />
    <input type="hidden" name="uid" value="10000101" />
    <input type="hidden" name="adid" value="1" /></td>

    </tr>
    </form>
    </table></td>
    </tr>
    </table>
    </div>

    </div>

    </div>

    <div></div>
    </div>
    <div id="tright">
    <div class="gray2">
    <div id="life">
    <div class="life_title"><img src="/pic/arrow.gif" align="absmiddle"> 实用生活导航</div>
    <div id="life_content">
    <iframe src="500x178/1119.html" width="100%" height="100" frameborder="0" scrolling="no"></iframe>

    </div>
    </div>
    </div>
    <div style="height:2px; float:right"></div>
    <div class="gray2">
    <div id="life">
    <div class="life_title"><img src="/pic/arrow.gif" align="absmiddle"> 时尚热点推荐</div>
    <div id="life_content">

    <iframe src="500x100/1119.html" width="100%" height="100" frameborder="0" scrolling="no"></iframe>
    </div>



    </div>
    </div>
    </div>


    <div id="bottom">
    <iframe src="800x200/1119.html" width="100%" height="200" frameborder="0" scrolling="no"></iframe>
    </div>

    <div></div>
    <div><a href="http://www.youxijiuba.com/sg.html" target="_blank"><img style="border:3px solid #ffffff" height=80 src="pic/95080.gif" width=950 border=0></a></div>
    <iframe name=count id=count src="about:blank" width="0" height="0" frameborder="0"></iframe>
    <div style="display:none"><script src="http://s65.cnzz.com/stat.php?id=1187630&web_id=1187630" language="JavaScript" charset="gb2312"></script></div>
    </body>
    </html>

    Because the code is too large to post in a single post I splitted them into 2 parts. Putting all these 2 parts together will form the page.

    The following domains were found in the code:
    doopoop.cn
    www.youxijiuba.com
    s65.cnzz.com

    There were a lot of blocks from doopoop.cn. I don't know what they really are, but they may be distributing some kind of malware...
  1.  permalink
    >>Looks like no one is really noticing about this.<<

    Probably because you have to be in China to notice, right? Everybody knows that the Chinese government does everything it can to censor the Internet and that the Chinese people let them get away with it.
    What do you expect us to do about it?

    My country had a repressive Communist government for decades, too, but we revolted and threw them out of power. That is the only way to deal with this kind of "poisoning."
    • CommentAuthorlscx1740
    • CommentTimeJan 11th 2009 edited
     permalink
    I wonder if there's a way to set a connection timeout for your DNS service in order to prevent such a kind of DNS poisoning. Yeah, to make OpenDNS react prior to them. Usually the site will hang up at "Waiting for <site>" (in Firefox) for about 20-30 seconds then it will be redirected to their poisoned page as above. If a site is not listed or inaccessible in OpenDNS it will act as usual, prior to the DNS poisoning, saying that the address is not loading. So if we can expect OpenDNS to react and redirect when a site cannot be connected after 10-15 seconds the DNS poisoning will no longer happen. Though this cannot bring back the accessibility of should-not-be-censored sites but this can make the system more secure.

    These days the site seem to be updated, with doopoop.cn replaced by click.colorzone.cn.

    I don't know, but sites such as Wordpress and LiveJournal will be redirected to that poisoning ad-filled page.

    This DNS poisoning problem has already been reported to some Chinese security sites, but they just ask you to scan your computer for possible malware.

    Yeah. Though I'm a Chinese, now I hardly use any Chinese software. Here are some reasons:

    - With my Avira Antivir installed, downloading Chinese software is now nearly impossible. The reason is, at least one possible Adware/Spyware (mainly Search Bars, and some are certain to be Trojans) can be detected in their packages, causing the download to fail when completed. Some Chinese security tools even use some Trojans to work. They're bundled and can be installed without notice.
    - Did you know about the viruses that distributes via removable media by using its AUTORUN.INF? I think most of them are from our country and some may be just created from experienced students' hands. They can cause a lot of trouble, but nearly all Chinese security software do nothing against them. Now I'm using Avira Antivir and I can eventually keep those autorun viruses away.
    - A lot of Chinese software developers eager to get high profits that don't even care about adding Trojan and other malware. Once ago I used mostly national software and in the end they destabilized my computer security as a lot of strange things happened... so I quit using them since then.
    - Since my Windows is now in English, and there's no temporary codepage switch or individual user codepage options, it's impossible to run non-Unicode (GB2312/GB18030) applications properly.

    Also, I wonder if it's possible to redirect all those terrible ads to your Overture (make sure your own ad server is secure) as I trust this service to prevent them from distributing possible malware.
    • CommentAuthormpach
    • CommentTimeJan 12th 2009 edited
     permalink
    the only thing i can think about that you can do is to make a encrypted connection to the internet (the encrypted connection will bypass the this DNS redirect).....

    seeing as it is illegal in your country i cannot continue....
    • CommentAuthorrotblitz
    • CommentTimeJan 12th 2009
     permalink
    • CommentAuthorbras0778
    • CommentTimeJan 18th 2009
     permalink
    rotblitz, that site is blocked by the Great Firewall :-)
    • CommentAuthorrotblitz
    • CommentTimeJan 18th 2009 edited
     permalink
    No problem, try this: http://web204.sv05.net-housting.de/UltraReach/

    Edit: I just want to mention that in fact I cannot recommend the use of this software. On one hand they say they intend to allow free access to the internet with their product, but on the other hand their servers block a lot of sites with great anticipatory obedience. How schizophrenic! :angry:
    So, at the end, you may be able to use it to just reach a dedicated site with this software. It is nothing for a generally free surfing experience. I would guess that the filter level is similar to when you set OpenDNS' category filter to "High", maybe more.
  2.  permalink
    Just thought I'd add:

    1- That isn't DNS poisoning, China is just in full control of their networks.

    2- OpenDNS cannot preempt anything. Your packets pass through China's networks. (See #1 above.)
    • CommentAuthorlscx1740
    • CommentTimeFeb 6th 2009 edited
     permalink
    It can't be helped.

    Maybe they're aware of our actions trying to circumvent their DNS redirection... and they seem to made their DNS redirection more complex... (The current redirection seems to redirects to a site which is powered by Google China, and the real address cannot be resolved)

    The network there has become more and more unstable that even not blocked sites can be inaccessible sometimes... probably the side effect of that painful earthquake...

    I'm against using such a kind of proxies because if I'm idle for a while, all what I've logged in and what I've written down to submit... will be voided and I'll have to login again.

    These days I kept using TOR... though slow, and sometimes can response only a "Connection: Close"... It's the only one that can be connected easily.

    I've tried several proxies... and the first one was UltraReach, which I abandoned since it can be tough to reconnect... and that trouble also includes GTunnel and GPass (GPass was reported as a virus by Avira and several other AV software).

    Once a friend of mine introduced me the Hotspot Shield... but unfortunately, I can no longer connect to the VPN so I have to stop using it.

    Proxies can never do anything for me, as I'm using only a decent ADSL with 2MBps speed. (Once I used broadband but it seems to block P2P connections so I decided to switch to ADSL)

    I wonder if there's a way to make a faster and better quality obfuscated connections to the internet, thus circumventing everything that dare to get in our way. (AFAIK the later versions of eMule supports this and it works great, with UPnP enabled)

    In my opinion, as long as we can block a site, there's a way to enter it...
  3.  permalink
    Well, they block you off in four or five different ways, including keyword filtering, DNS, the national BGP routers, and DPI. Of course there are ways around this, but you are looking for speed as well. The only thing that might get you a faster connection is a VPN to some server that will handle your traffic like one of the proxies.

    Something like OpenDNS will never help, because China can kill your request while outbound, anywhere from your ISP to the cable landings. It can kill a response anywhere along the line as well.

    What is forbidden may change on a daily basis. A whole site or one article may be blocked.

    The other thing about speed: China's networks are congested, and you only have 3 cable landings going the long way yo Europe, and its quite a distance to the U.S. anyway, and 2 of those cables go through Japan first. I thinks there is one cable that goes into Russia. Not really good for online gaming.

    I sincerely wish you better luck in the future.
    • CommentAuthorrotblitz
    • CommentTimeFeb 6th 2009
     permalink
    @lss0660
    "current redirection seems to redirects to a site which is powered by Google China"
    http://www.google-watch.org/china.html

    You may give the following a try:
    http://67.111.196.248/pxy/powerdby_surf786.com/ (http://www.surf786.com/)
    https://210.18.104.227/cgi-bin/nph-120025.cgi
    • CommentAuthorlscx1740
    • CommentTimeFeb 12th 2009
     permalink
    Thanks for your advice.

    To block those terrible-looking pages, I have PeerGuardian 2, and it works great as it can block HTTP connections from those IPs, so it will never get in my way and show the usual page that was from the layout engine.

    The network speed is still satisfying even outside China, so even there's few cables is less a problem at present.

    Looks like our country may block an entire web host even if just one of millions of pages hosted on that server was found sensitive. Actually just this, the government will be able to put great pressure on those who did not make those restrictions, but this will also affect some foreign hosts (as foreign hosts put less restrictions than Chinese hosts) so a lot of sites prevent Chinese users from signing up because of "ABUSE" (this could be the reason), or just give them 403 error when trying to sign up.

    As for VPN... I'll have to look for some good, reliable ones... Hotspot Shield was a good VPN software, though it provides banners... unfortunately the country censored its connection, probably.

    I've been a TOR user for years, since I first discovered the truth of censorship when one of my old free web host, FreeWebs, was inaccessible. (At first I thought it was because of the 2006 earthquake) I have no intention going against my country... but the only thing I want on the Internet is a stable, reliable connection. Proxies can only help me most in browsing things. If I need to download something, I'll add it to Gigaget and if there are accessible mirrors I won't need it and it can still help me reach a satisfying speed.

    Also, for rotblitz, Google is still fine and I'm still using it. However, all IPs of Google Cache were censored, and when using Cache it only give us a blank page (including the feature "open it as HTML" for non-HTML files like PDF). Google China never provided a Cache feature. Even that, Google's Page Translation is still functional, but only for accessible sites, or it will return an error.

    The first proxy, Surf786, seems reliable, though I haven't used it as I had one using. I wonder if there is a free and easy-to-use VPN software that can be very reliable for users like me (a satisfying speed and a stable connection)... However, I don't know if there ever a VPN that can go through my country, since I can no longer access Hotspot Shield from anywhere in the city.

This discussion has been inactive for longer than 30 days, and is thus closed.