[lug] Suspicous: "host"/"DNS" Showing Odd Results (Fedora)

stimits at comcast.net stimits at comcast.net
Mon Sep 3 15:10:03 MDT 2018 

Hi,
 
I realize the "host" command can show more than one source, but it seems I have a case which is suspicious. While looking for problems of why something was crashing on firefox I added many packages to enable running in gdb and taking a backtrace. It seems SSL had locked up and crashed (fully updated).
 
So I've noticed that sometimes when I ping comcast.net I see what I believe is not legitimate:
64 bytes from civrightsvoices.com (69.252.80.75): icmp_seq=1 ttl=56 time=13.8 ms 
At other times I see this, which is probably correct:
64 bytes from urlrw01.cable.comcast.com (69.252.80.75): icmp_seq=1 ttl=56 time=19.4 ms 
What got more interesting is the "host" command (I do believe 69.252.80.75 is actually comcast):
> host 69.252.80.7575.80.252.69.in-addr.arpa domain name pointer civrightsvoices.com.75.80.252.69.in-addr.arpa domain name pointer urlrw01.cable.comcast.com. 
When it is purely the one I believe is valid there is no lockup or crash. Sometimes when both show up it seems to be ok, but all firefox lockups only occur under those conditions.
 
In the past I checked out what happens when resolv.conf has one of the open DNS servers instead of comcast's, and found performance was terrible. The open DNS server entry was long since deleted and reboot has generated a purely comcast resolv.conf (the entire system and DHCP has been restarted multiple times since then, and so has the cable modem). There is no reason (that I know of) why any other DNS server would be used other than comcast's. Is there something equivalent to a verbose trace of the "host" command to see more details? Would I need to snoop the traffic?
 
FYI, the ping and host commands do this with root and other accounts without ever using a web browser (the issue is not confined to web browsers nor user accounts). Just in case, for firefox, I did delete all cache and cookies. I actually did a recursive find of regular files for the entire file system and put them through grep doing a case insensitive search for "civrightsvoices" and nothing showed up from the entire file system. I'm thinking this is something provided from the network source and is not part of my computer (perhaps comcast's DNS was hacked?). I've concluded that it is unlikely anything on my system has been compromised (and I do keep close watch and firewalling).
 
Is there something odd when ping and host show two sources for 69.252.80.75? I could see two comcast names or pointers, but so far as I know "civrightsvoices.com" is unrelated to comcast and there should not be two domain pointers from different domains replying to comcast's DNS requests. How would I trace the cause of seeing "civrightsvoices.com" in some DNS queries and ping? Would I need to snoop traffic?
 
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180903/b7a62833/attachment.html>

More information about the LUG mailing list