Link to home
Start Free TrialLog in
Avatar of Jason Johanknecht
Jason JohanknechtFlag for United States of America

asked on

Centurylink DNS hijacked?

Multiple Centurylink customers using the PK5001Z modem only are seeing strange DNS results.  All other modems on their services are working as expected.  Running NSLOOKUP in command prompt show the DNS server as the modem (The modem DNS servers show Centurylink IP addresses in the modem HTML interface), but no matter what website you check they always come back with 2 IP addresses.

198.105.244.21
198.105.254.21

The internet does work fine on this computer for browsing internet.  All computers connected to this network will have this result.  One of my laptops when connected to one of these clients will do exactly as I have stated.  When I take that laptop to another location without the PK5001Z modem, the DNS results are normal.   The computers in question have different antivirus.  I have even removed Avast from one of the computers and installed a different antivirus.  Same thing.  

I have contacted Centurylink regarding this, but unless has been committed they will not do anything more.


Can anyone explain this?  What else should I be looking for?
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

Those IP addresses belong to Search Guide Inc.  There are a lot of articles about DNS hijacking in home routers but there is no direct way for you to fix it other than getting a new router.  If the router belongs to Century Link, they should be able to update the firmware themselves.  At least my ISPs have always been able to do that.
the DNS setting for client computers should be from their DHCP server.  are you able to control the DHCP server?
Avatar of Jason Johanknecht

ASKER

The modem is the DHCP server and shows the correct information, however when you run an actual NSLOOKUP the DNS results (Still show results from DNS of modem) are always the same.  I looked up the IP addresses and they belong to Search Guide (Thought I mentioned that, but must have forgotten).  All settings are correct at every level for DHCP, but the results are strange.  If I statically assign a Google DNS server, the NSLOOKUP results are normal (Didn't mention originally, but proven multiple times).

My best guess was that Centurylink DNS servers would have be the problem, but then why only with a certain DSL modem?  I can set the modem to use Google DNS servers if need be.
In researching your question, I saw a bunch of articles about a virus that was hijacking home routers.  I suggest setting the modem to use Google DNS and see if it sticks or gets reset.
No one has ever come across this?
Avatar of noci
noci

Nope, i stopped taking such routers seriously a loong time ago.
Besides i want to be in control of my OWN equipment.
I always bought/built my own firewall, and either did not use the providers modem or
just in bridge mode so my own firewall could use PPPoE to connect.

Either the modem is hyjacked byond repair or maybe it is reinfected from one of the PC's behind the system
First try to disable UPnP... (it has calls to update modem config from the LAN without any protection).
Also try the modem in an environment WITHOUT the original PC's connected to the net, and use a laptop
without DHCP, setup using a valid address in the LAN, with manual setup DNS server (fe. 8.8.8.8)
and try to reset it in a clean environment... [ maybe even a HARDWARE reset ].
Also reinstall new firmware (or the same version again)
http://internethelp.centurylink.com/internethelp/modem-pk5001z-utilities-upgrade-firmware.html
run ipconfig or check your  network IPv4 configuration, it might have been switched out by a worm on your system only.

netsh interface ip show dns
it will tell you which dns servers are set on each connection as well as whether those are set by DHCP or are static.  
I suspect that yours are static and were set by a "compromising" script/vulnerability exploited on your system.

are you logged in on the system with an account that has administrative rights?
I will look into this thing asap.  It is currently 3 locations in 3 seperate cities, with 5 computers total.  Again, if I take my laptop (which tests out fine at any location without that specific model of DSL modem) if happens.  Bring my laptop back and all clear.  If I set the PCs to public DNS like Google 8.8.8.8 everything is fine.  Just very nervous something on Centurylink side with their DNS servers perhaps.
Keep the ideas coming.  If nothing else, I will atleast learn something new.

Thanks!
Do you have interconnections/shared resources?
unless the provider's had compromised such that their system were used to push out the wrong DNS servers, ......
No shared resources.
I've requested that this question be deleted for the following reason:

No updates or answer.
Did you resolve your issue? There are several valid suggestion on what you need to look at to identify the issue.  Some providers include the option to suggest an alternate when the requested information has no results/not valid.
Centurylink has no idea, and it is on all users with that specific modem from Centurylink.  No open possiblities from this thread, so I am deleting the thread.
Century link does not provide suggestion in their DNS response when the requested URL has a typo or the like?

i.e. running nslookup www.somenewotherdomain.com (literally)
do they get a response with an IP?  IF so this means the provider is responding with a suggestion/reference IF they get a no such record/no response. but in the browser they get a suggestion, this means their browser settings are configured to provide a suggestion instead of an error page.
Please re-read the beginning of this article.  It holds the answer to your last question.
The only one who can answer and figure what is going on is a person who has access to the locations experiencing issues.
I think at some point you referenced google's public DNS records 8.8.8.8 and I think 8.8.4.4
You can switch these but make sure you are aware that Google could use the queries which include the IP from which the requests are sent as they see fit.

Often when I ask a question and receive response seeking more information, I try to provide the information to further the understanding of the person attempting to answer my question instead of responding with minimal information which means that the person needs to guesstimate what might be going on to formulate another question that might be more relevant to the situation.

as noted in a prior exchange if the provider, CenturyLink does not address the issue by checking their equipment to make sure it is not being hijacked, you can manually set the local dns on the clients ........
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No firmware updates either direction.  I had not found any forums with similar information or question.  I am going to read the article asap!
I finally have the answer.  The TR-069 / ACS is what is going on.  I don't know if it can be altered, but atleast the modems were not hijacked.
Somtimes there is a menu option somewhere in system settings where you can disable/enable all kinds of access to the modem. TR-069 should be one of them..., but the provider might have disabled that option as well to remain in control of the modem.