2011年5月30日星期一
DNS劫持实际应用
未使用VPN
$ nslookup
> www.vpnvip.com
Server: 8.8.8.8 //Google域名服务器
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 93.46.8.89 //未拨vpn,域名被劫持,返回伪造ip地址,注意劫持ip是固定的
使用VPN
$ nslookup
> www.vpnvip.com
Server: 202.134.93.120 //已拨vpn,香港电信运营商dns服务器
Address: 202.134.93.120#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //返回正确ip地址
> server 8.8.8.8 //改为Google DNS服务器
Default server: 8.8.8.8
Address: 8.8.8.8#53
> www.vpnvip.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //仍返回正确IP地址
断开vpn
> www.vpnvip.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 54.76.135.1 //域名被劫持,返回伪造ip地址
> server 208.67.222.222 //修改DNS服务器为openDNS
Default server: 208.67.222.222
Address: 208.67.222.222#53
> www.vpnvip.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 188.5.4.96 //域名被劫持,返回伪造ip地址
已拨vpn
> www.vpnvip.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //返回正确ip地址
> server 208.67.220.220
Default server: 208.67.220.220
Address: 208.67.220.220#53
> www.vpnvip.com
Server: 208.67.220.220
Address: 208.67.220.220#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //重新查询,稳定地返回正确ip地址
> server 8.8.4.4
Default server: 8.8.4.4
Address: 8.8.4.4#53
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //更换DNS服务器, 重新查询,稳定地返回正确ip地址
断开vpn
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 159.106.121.75 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 197.4.4.12 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 188.5.4.96 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 189.163.17.5 //dns被劫持,返回伪造ip地址
> server 202.96.128.86 //更换为广东电信dns服务器
Default server: 202.96.128.86
Address: 202.96.128.86#53
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns缓存污染,返回伪造ip
拨vpn,
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns缓存污染,返回伪造ip,拨vpn无法阻止国内运营商的dns污染行为
> www.vipvpn.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
www.vipvpn.com canonical name = vipvpn.com.
Name: vipvpn.com
Address: 89.149.254.116 //dns缓存污染,返回伪造ip,拨vpn无法阻止国内运营商的dns污染行为
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns污染ip重复出现
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 159.106.121.75 //dns污染ip重复出现
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 93.46.8.89 //dns污染ip重复出现
对pptp.witopia.net进行查询,未拨vpn
$ nslookup
> pptp.witopia.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: pptp.witopia.net
Address: 93.46.8.89 //对不同域名的劫持ip一样,可以断定劫持ip都源于同一个ip库
拨 vpn
> pptp.witopia.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
pptp.witopia.net canonical name = pptp.all.witopia.net.
Name: pptp.all.witopia.net
Address: 74.115.160.183
Name: pptp.all.witopia.net
Address: 74.115.160.213
Name: pptp.all.witopia.net
Address: 188.165.22.196
Name: pptp.all.witopia.net
Address: 209.222.3.7
Name: pptp.all.witopia.net
Address: 209.237.253.77
Name: pptp.all.witopia.net
Address: 213.229.66.58
Name: pptp.all.witopia.net
Address: 216.240.128.86
Name: pptp.all.witopia.net
Address: 27.50.91.229
Name: pptp.all.witopia.net
Address: 64.69.46.219
Name: pptp.all.witopia.net
Address: 64.120.5.133
Name: pptp.all.witopia.net
Address: 65.111.175.196
Name: pptp.all.witopia.net
Address: 69.50.200.242
dig查询www.vpnvip.com,未拨vpn
$ dig @8.8.8.8 www.vpnvip.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.vpnvip.com. IN A
;; ANSWER SECTION:
www.vpnvip.com. 300 IN A 93.46.8.89
;; Query time: 520 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 29 00:54:33 2011
;; MSG SIZE rcvd: 48
拨vpn
$ dig @8.8.8.8 www.vpnvip.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36599
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.vpnvip.com. IN A
;; ANSWER SECTION:
www.vpnvip.com. 3581 IN CNAME vpnvip.com.
vpnvip.com. 3581 IN A 96.44.184.190
;; Query time: 158 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 29 00:54:53 2011
;; MSG SIZE rcvd: 62
dig trace www.vpnvip.com,拨vpn,轨迹正常,结果正确。
$ dig @8.8.8.8 www.vpnvip.com +trace
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com +trace
; (1 server found)
;; global options: +cmd
. 64501 IN NS l.root-servers.net.
. 64501 IN NS b.root-servers.net.
. 64501 IN NS e.root-servers.net.
. 64501 IN NS a.root-servers.net.
. 64501 IN NS c.root-servers.net.
. 64501 IN NS f.root-servers.net.
. 64501 IN NS g.root-servers.net.
. 64501 IN NS m.root-servers.net.
. 64501 IN NS h.root-servers.net.
. 64501 IN NS d.root-servers.net.
. 64501 IN NS k.root-servers.net.
. 64501 IN NS i.root-servers.net.
. 64501 IN NS j.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 817 ms
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
;; Received 492 bytes from 192.112.36.4#53(g.root-servers.net) in 820 ms
vpnvip.com. 172800 IN NS dns1.vpnvip.com.
vpnvip.com. 172800 IN NS dns2.vpnvip.com.
vpnvip.com. 172800 IN NS dns3.vpnvip.com.
;; Received 137 bytes from 192.43.172.30#53(i.gtld-servers.net) in 156 ms
www.vpnvip.com. 3600 IN CNAME vpnvip.com.
vpnvip.com. 3600 IN A 96.44.184.190
vpnvip.com. 3600 IN NS dns1.vpnvip.com.
vpnvip.com. 3600 IN NS dns3.vpnvip.com.
vpnvip.com. 3600 IN NS dns2.vpnvip.com.
;; Received 167 bytes from 96.44.184.190#53(dns2.vpnvip.com) in 1169 ms
dig trace www.vpnvip.com,未拨vpn,轨迹确实,结果不正确。
$ dig @8.8.8.8 www.vpnvip.com +trace
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com +trace
; (1 server found)
;; global options: +cmd
. 64069 IN NS l.root-servers.net.
. 64069 IN NS b.root-servers.net.
. 64069 IN NS e.root-servers.net.
. 64069 IN NS a.root-servers.net.
. 64069 IN NS c.root-servers.net.
. 64069 IN NS f.root-servers.net.
. 64069 IN NS g.root-servers.net.
. 64069 IN NS m.root-servers.net.
. 64069 IN NS h.root-servers.net.
. 64069 IN NS d.root-servers.net.
. 64069 IN NS k.root-servers.net.
. 64069 IN NS i.root-servers.net.
. 64069 IN NS j.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 704 ms
www.vpnvip.com. 300 IN A 46.82.174.68
;; Received 48 bytes from 192.58.128.30#53(j.root-servers.net) in 774 ms
总结:
1、用国内运营商DNS服务器,无论是否通过vpn,dns缓存都会被污染。
2、用Google DNS或OpenDNS,如果拨vpn,dns不被劫持;如果不拨vpn,dns被劫持。
3、污染ip和劫持ip相对固定,且可以确定来源于同一ip库。
$ nslookup
> www.vpnvip.com
Server: 8.8.8.8 //Google域名服务器
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 93.46.8.89 //未拨vpn,域名被劫持,返回伪造ip地址,注意劫持ip是固定的
使用VPN
$ nslookup
> www.vpnvip.com
Server: 202.134.93.120 //已拨vpn,香港电信运营商dns服务器
Address: 202.134.93.120#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //返回正确ip地址
> server 8.8.8.8 //改为Google DNS服务器
Default server: 8.8.8.8
Address: 8.8.8.8#53
> www.vpnvip.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //仍返回正确IP地址
断开vpn
> www.vpnvip.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 54.76.135.1 //域名被劫持,返回伪造ip地址
> server 208.67.222.222 //修改DNS服务器为openDNS
Default server: 208.67.222.222
Address: 208.67.222.222#53
> www.vpnvip.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 188.5.4.96 //域名被劫持,返回伪造ip地址
已拨vpn
> www.vpnvip.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //返回正确ip地址
> server 208.67.220.220
Default server: 208.67.220.220
Address: 208.67.220.220#53
> www.vpnvip.com
Server: 208.67.220.220
Address: 208.67.220.220#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //重新查询,稳定地返回正确ip地址
> server 8.8.4.4
Default server: 8.8.4.4
Address: 8.8.4.4#53
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
www.vpnvip.com canonical name = vpnvip.com.
Name: vpnvip.com
Address: 96.44.184.190 //更换DNS服务器, 重新查询,稳定地返回正确ip地址
断开vpn
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 159.106.121.75 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 197.4.4.12 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 188.5.4.96 //dns被劫持,返回伪造ip地址
> www.vpnvip.com
Server: 8.8.4.4
Address: 8.8.4.4#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 189.163.17.5 //dns被劫持,返回伪造ip地址
> server 202.96.128.86 //更换为广东电信dns服务器
Default server: 202.96.128.86
Address: 202.96.128.86#53
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns缓存污染,返回伪造ip
拨vpn,
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns缓存污染,返回伪造ip,拨vpn无法阻止国内运营商的dns污染行为
> www.vipvpn.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
www.vipvpn.com canonical name = vipvpn.com.
Name: vipvpn.com
Address: 89.149.254.116 //dns缓存污染,返回伪造ip,拨vpn无法阻止国内运营商的dns污染行为
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 23.89.5.60 //dns污染ip重复出现
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 159.106.121.75 //dns污染ip重复出现
> www.vpnvip.com
Server: 202.96.128.86
Address: 202.96.128.86#53
Non-authoritative answer:
Name: www.vpnvip.com
Address: 93.46.8.89 //dns污染ip重复出现
对pptp.witopia.net进行查询,未拨vpn
$ nslookup
> pptp.witopia.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: pptp.witopia.net
Address: 93.46.8.89 //对不同域名的劫持ip一样,可以断定劫持ip都源于同一个ip库
拨 vpn
> pptp.witopia.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
pptp.witopia.net canonical name = pptp.all.witopia.net.
Name: pptp.all.witopia.net
Address: 74.115.160.183
Name: pptp.all.witopia.net
Address: 74.115.160.213
Name: pptp.all.witopia.net
Address: 188.165.22.196
Name: pptp.all.witopia.net
Address: 209.222.3.7
Name: pptp.all.witopia.net
Address: 209.237.253.77
Name: pptp.all.witopia.net
Address: 213.229.66.58
Name: pptp.all.witopia.net
Address: 216.240.128.86
Name: pptp.all.witopia.net
Address: 27.50.91.229
Name: pptp.all.witopia.net
Address: 64.69.46.219
Name: pptp.all.witopia.net
Address: 64.120.5.133
Name: pptp.all.witopia.net
Address: 65.111.175.196
Name: pptp.all.witopia.net
Address: 69.50.200.242
dig查询www.vpnvip.com,未拨vpn
$ dig @8.8.8.8 www.vpnvip.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60952
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.vpnvip.com. IN A
;; ANSWER SECTION:
www.vpnvip.com. 300 IN A 93.46.8.89
;; Query time: 520 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 29 00:54:33 2011
;; MSG SIZE rcvd: 48
拨vpn
$ dig @8.8.8.8 www.vpnvip.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36599
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.vpnvip.com. IN A
;; ANSWER SECTION:
www.vpnvip.com. 3581 IN CNAME vpnvip.com.
vpnvip.com. 3581 IN A 96.44.184.190
;; Query time: 158 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 29 00:54:53 2011
;; MSG SIZE rcvd: 62
dig trace www.vpnvip.com,拨vpn,轨迹正常,结果正确。
$ dig @8.8.8.8 www.vpnvip.com +trace
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com +trace
; (1 server found)
;; global options: +cmd
. 64501 IN NS l.root-servers.net.
. 64501 IN NS b.root-servers.net.
. 64501 IN NS e.root-servers.net.
. 64501 IN NS a.root-servers.net.
. 64501 IN NS c.root-servers.net.
. 64501 IN NS f.root-servers.net.
. 64501 IN NS g.root-servers.net.
. 64501 IN NS m.root-servers.net.
. 64501 IN NS h.root-servers.net.
. 64501 IN NS d.root-servers.net.
. 64501 IN NS k.root-servers.net.
. 64501 IN NS i.root-servers.net.
. 64501 IN NS j.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 817 ms
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
;; Received 492 bytes from 192.112.36.4#53(g.root-servers.net) in 820 ms
vpnvip.com. 172800 IN NS dns1.vpnvip.com.
vpnvip.com. 172800 IN NS dns2.vpnvip.com.
vpnvip.com. 172800 IN NS dns3.vpnvip.com.
;; Received 137 bytes from 192.43.172.30#53(i.gtld-servers.net) in 156 ms
www.vpnvip.com. 3600 IN CNAME vpnvip.com.
vpnvip.com. 3600 IN A 96.44.184.190
vpnvip.com. 3600 IN NS dns1.vpnvip.com.
vpnvip.com. 3600 IN NS dns3.vpnvip.com.
vpnvip.com. 3600 IN NS dns2.vpnvip.com.
;; Received 167 bytes from 96.44.184.190#53(dns2.vpnvip.com) in 1169 ms
dig trace www.vpnvip.com,未拨vpn,轨迹确实,结果不正确。
$ dig @8.8.8.8 www.vpnvip.com +trace
; <<>> DiG 9.6.0-APPLE-P2 <<>> @8.8.8.8 www.vpnvip.com +trace
; (1 server found)
;; global options: +cmd
. 64069 IN NS l.root-servers.net.
. 64069 IN NS b.root-servers.net.
. 64069 IN NS e.root-servers.net.
. 64069 IN NS a.root-servers.net.
. 64069 IN NS c.root-servers.net.
. 64069 IN NS f.root-servers.net.
. 64069 IN NS g.root-servers.net.
. 64069 IN NS m.root-servers.net.
. 64069 IN NS h.root-servers.net.
. 64069 IN NS d.root-servers.net.
. 64069 IN NS k.root-servers.net.
. 64069 IN NS i.root-servers.net.
. 64069 IN NS j.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 704 ms
www.vpnvip.com. 300 IN A 46.82.174.68
;; Received 48 bytes from 192.58.128.30#53(j.root-servers.net) in 774 ms
总结:
1、用国内运营商DNS服务器,无论是否通过vpn,dns缓存都会被污染。
2、用Google DNS或OpenDNS,如果拨vpn,dns不被劫持;如果不拨vpn,dns被劫持。
3、污染ip和劫持ip相对固定,且可以确定来源于同一ip库。
标签: DNS Hijack
// 发贴者:放牛娃的春天 @ 五月 30, 2011 
订阅 博文 [Atom]