1. Home
  2. >
  3. Industry
  4. >

Large-Scale DNS Tampering of Home Routers in China Tencent Cloud's Warning and Solution

By:Jack

TapTechNews August 9th news, Tencent Cloud DNSPod officials posted today, stating that a large number of domestic home routers' DNS resolution configurations have been tampered with, thus affecting the normal access to websites and apps.

This situation began to appear in May 2024 and peaked on August 5th. As of August 7th, after testing and confirmation, the domain name that caused the large-scale outbreak of this failure has been restored on the abnormal DNS server, but due to the influence of TTL and the local cache of the client, the recovery time of the client will have a certain lag.

Normally, when a user accesses a website or app, a request will be sent to the DNS server to resolve the IP address corresponding to the website domain name. The DNS server will return the correct IP address, and the user's device establishes a connection with the target server and accesses the website.

Large-Scale DNS Tampering of Home Routers in China Tencent Clouds Warning and Solution_0

In a DNS hijacking attack, however, the malicious DNS server will return the wrong IP address, causing the user to access the wrong website or be unable to access the target website.

Tencent Cloud officially gave a self-check plan, which TapTechNews summarizes as follows:

First, check whether the main DNS configuration of your router has been modified to a similar IP (including but not limited to the following IPs). If it has been modified to the following IPs and the secondary DNS has been changed to 1.1.1.1, it can basically be determined that your home router DNS has been hijacked and tampered with.

122.9.187.125

8.140.21.95 

101.37.71.80

47.102.126.197

118.31.55.110

47.109.22.11

47.113.115.236

47.109.47.151

47.108.228.50

39.106.3.116

47.103.220.247

139.196.219.223

121.43.166.60

106.15.3.137

If the DNS server IP configured on your router is not in the above list, you can confirm its DNS hijacking behavior through the following typical characteristics:

1. The TTL of the domain name resolution record has been modified to 86400 seconds, that is, the domain name resolution record will be cached for 1 day. You can execute the command to check on a terminal (such as a Mac computer or Linux cloud server) that can access the public network: dig@122.9.187.125 dnspod.cn. Where 122.9.187.125 is the sample IP address, and you can replace it with the IP address of your home router DNS server.

Large-Scale DNS Tampering of Home Routers in China Tencent Clouds Warning and Solution_1

2. There are intermittent problems that a large number of domain names cannot be resolved normally, returning the NXDOMAIN+wrong SOA record, rather than returning the normal A record or CNAME record. You can execute the command to check: dig@122.9.187.125 test.ip.dnspod.net. Where 122.9.187.125 is the sample IP address, and you can replace it with the IP address of your home router DNS server.

Large-Scale DNS Tampering of Home Routers in China Tencent Clouds Warning and Solution_2

3. The DNS version is unbound1.16.2. Yo u can execute the command to check: dig@122.9.187.125version.bindchaostxt. Where 122.9.187.125 is the sample IP address, and you can replace it with the IP address of your home router DNS server.

Large-Scale DNS Tampering of Home Routers in China Tencent Clouds Warning and Solution_3

If you confirm that you have encountered the above situation, Tencent Cloud suggests home router users upgrade the home router firmware and modify the DNS server to the operator's recursive DNS or 119.29.29.29 and other well-known public DNS to ensure normal resolution.

DNS tampering home routers Tencent Cloud public DNS

Likes