According to the message released by Tencent Cloud DNSPOD official account, DNSPOD recently discovered that a large number of home routers' DNS resolution configurations have been tampered with, affecting the normal access to websites or apps.
This situation first appeared as early as May 2024, and reached its peak on August 5th, with a concentrated outbreak, until August 7th after testing confirmed that the domain names that caused this large-scale failure on abnormal DNS servers have been restored. However, due to TTL and client cache effects, the recovery time for clients has a certain lag.
Routers are controlled by hackers and modified to malicious DNS servers:
Hijacking activities targeting routers are not uncommon, and this type of attack usually involves scanning exposed routers on the Internet, then gaining administrative privileges to the router through default passwords, router firmware vulnerabilities, or commonly used passwords.
Once administrative privileges are obtained, hackers can modify the default DNS server of the router to a malicious server, which will return phishing websites, fake websites, or redirect to illegal websites when users access them.
The malicious DNS addresses discovered by DNSPOD include:
122.9.187.125
8.140.21.95
101.37.71.80
47.102.126.197
118.31.55.110
47.109.22.11
47.113.115.236
47.109.47.151
47.108.228.50
39.106.3.116
47.103.220.247
139.196.219.223
121.43.166.60
106.15.3.137
Users can log in to the router management page to find the DNS server configuration, check if the DNS server has the above IP addresses. If so, it means the router has been compromised, and it is recommended to reset it directly and then change the account password to ensure security.
If the router's DNS address is not in the above IP list, you can check using the following methods:
- The TTL of the domain resolution record is modified to 86400 seconds, meaning the domain resolution record will be cached for 1 day.
You can open the command prompt on a Mac or Linux system and enter dig @122.9.187.125 dnspod.cn
Where @122.9.187.125 is an example DNS server IP, please check your router to find the DNS IP address, replace it in the above command. If the information returned after executing the command includes 86400, it may indicate a compromise.
- There is an intermittent situation where a large number of domain names cannot be resolved normally, returning NXDOMAIN + incorrect SOA record, instead of accessing the A record or CNAME record normally.
Execute the command dig @router DNS IP address test.ip.dnspod.net
If the returned record contains an SOA record, it may also indicate that the router has been compromised, meaning that the DNS IP address on the router belongs to a malicious address, not a commonly used public DNS server.
- The DNS version is displayed as unbound 1.16.2
By using the command dig @router DNS IP version.bind chaos txt
If the information returned includes the following strings, it also indicates a compromise:
unbound 1.16.2
sh-dsh-01
hz-ds-z11-10