Tencent Cloud: It has been detected that a large number of domestic home routers have been hijacked by DNS, and the server has now been restored

According to news on August 9, Tencent Cloud DNSPod officially issued a document today, saying that it has detected that the DNS resolution configuration of a large number of domestic home routers has been tampered with, thus affecting normal website and app access. This situation began to occur in May 2024, and the concentrated outbreak reached its peak on August 5. As of August 7, it was confirmed through testing that the domain name that caused the large-scale outbreak of this failure has been restored on the abnormal DNS server, but it is subject to TTL Due to the impact of the client's local cache, the client's recovery time will have a certain lag. Under normal circumstances, when a user accesses a website or app, a request will be sent to the DNS server to resolve the IP address corresponding to the website domain name. The DNS server returns the correct IP address, and the user's device establishes a connection with the target server and accesses the website.

But in a DNS hijacking attack, the malicious DNS server will return a wrong IP address, causing the user to access the wrong website or be unable to access the target website.

Tencent Cloud officially provides a self-check plan, which is summarized as follows:

First check whether the primary DNS configuration of your router has been modified to be similar to the following IP (including but not limited to the following IP). If it has been modified to the following IP, and The secondary DNS has been changed to 1.1.1.1, which basically confirms that your home router's DNS has been hijacked and tampered with.

1. 122.9.187.125
2. 8.140.21.95
3. 101.37.71.80
4. 47.102.126.197
5. 118.31.55.110
6. 47.109 .22.11
7. 47.113.115.236
8. 47.109.47.151
9. 47.108.228.50
10. 39.106. 3.116
11. 47.103.220.247
12. 139.196.219.223
13. 121.43.166.60
14. 106.15.3.137

If the DNS server IP configured on your router is not in the list above, you DNS hijacking can be confirmed by the following typical characteristics Behavior:

1. The domain name resolution record TTL is modified to 86400 seconds, that is, the domain name resolution record will be cached for 1 day. You can execute the command check on a terminal that can access the public network (such as a Mac computer or Linux cloud server): dig @122.9.187.125dnspod.cn. Where 122.9.187.125 is an example IP address, which you can replace with the IP address of your home router's DNS server.

2. There is an intermittent problem that a large number of domain names cannot be resolved normally, and SOA records with NXDOMAIN+ errors are returned instead of normal A records or CNAME records. You can execute the following command to check:

dig @122.9.187.125 test.ip.dnspod.net

where 122.9.187.125 is an example IP address, you can replace it with the IP address of your home router DNS server.

3. The DNS version is unbound 1.16.2. Executable command check: dig @122.9.187.125 version.bind chaos txt. Where 122.9.187.125 is an example IP address, which you can replace with the IP address of your home router's DNS server.

If you confirm that you have encountered the above situation, Tencent Cloud recommends that home router users upgrade the home router firmware and modify the DNS server to the operator's recursive DNS or well-known public DNS such as 119.29.29.29 to ensure normal resolution.

The above is the detailed content of Tencent Cloud: It has been detected that a large number of domestic home routers have been hijacked by DNS, and the server has now been restored. For more information, please follow other related articles on the PHP Chinese website!