Maintained by: NLnet Labs

[Unbound-users] DNS poisoning - any ideas how this can happen?

Martin Bachmann
Mon Feb 9 18:33:52 CET 2015


Hi all,

We've run into a dns poisoning issue in our company network since Friday.
The issue is being discussed here:
https://forum.pfsense.org/index.php?topic=87491.0 - we use Unbound on a
pfSense. A few other users have the same problem:

- All of a sudden, all host names resolve to a malware host.
- It stops automatically after some time
- There's no arp poisoning going on, so it really comes from Unbound on the
pfSense

Example:

While "on":

$ host omx.ch
omx.ch has address 195.22.26.248
omx.ch mail is handled by 10 mx1.csof.net.
omx.ch mail is handled by 10 mx2.csof.net.

Normally:

$host omx.ch
omx.ch has address 62.48.3.132
omx.ch mail is handled by 10 mxhost1.omx.ch

Other wrongly resolved ips lead to sso.mlwr.io (which tries to redirect
back to xsso.<correcthost.com>/<someidentifier>)

Any ideas?

- Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20150209/3ab4856a/attachment.html>