[GTALUG] Reverse DNS different that DNS server (reverse is a local address)
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Mon Nov 23 10:00:02 EST 2020
On Mon, Nov 23, 2020 at 01:53:26AM +0100, Joseph Rocklin via talk wrote:
> Actually I had done a traceroute on dnschecker.org from my daughter's windows machine (on my BIL's network) after I last posted. It is attached. I think it was to either duckduckgo.com, google, or maybe another search site. I also did some ipconfig commands and recorded in some text files (then realized a better word processing program would save better). I also went to IP Tracker and ipleak.net. On IPleak.net it registered like 27 DNS addresses. When using my cell data on my own machine, I get 1 DNS address on that site. Is that at all unusual? Please let me know if those records are also useful to send.
>
> Lastly, to clarify about utopia.net, it hasn't been popping up in the past month or so. But on my kids machine, I would input a URL into the browser, and see in the lower LH corner 'resolving host..' and either just after or at the same time '....utopia.net'
>
> Over the past month I also worked on my own machine. When I changed OS I found on a fresh install, my DNS was routing to utopia.net (even after not using my BIL's network). It seemed to be associated with the gigabit card. I got curious after remembering the browser texts I mentioned above, on my kids' machine. I got curious and researched utopia.net. That let to me finally doing some fiddling and was able to change drivers and erase difficult-to-access HDD partitions, and through the command line, and linux OS I got it off my machine. I did the chattr +i command for my /etc/resolv.conf and other efforts to make sure it didn't revert. It has certainly gotten me more familiar with Linux than I was.
>
> Anyway, curious to hear your thoughts.
https://www.reddit.com/r/antivirus/comments/7qwn93/utopianet_malware_dns_hijack/
Seeing utopia.net means you have a dns hijacker either in your browser,
on your computer or perhaps on your router.
Something like 'hijackthis' or 'spybot search and destroy' might help
to find an elliminate it if it is on the computer.
So perhaps a browser plugin has taken over dns handling in the browser.
Those useless toolbars people seem to like installing often do that.
--
Len Sorensen
More information about the talk
mailing list