Routing Problems: www.google.de -> blog.zeit.de???

Hi there!
I am really confused by now: My internet connection is really behaving
in a funny way. Sometimes when i am trying to connect to a website
another website is opened and displayed in the browser although the
right domain name is shown.
I can give an example: traceroute:


Code:
--------------------
    
  traceroute to www.google.de (66.150.96.119), 30 hops max, 40 byte packets
  1  SE515.home (192.168.1.1)  1.665 ms   1.804 ms   1.953 ms
  2  * * *
  Unable to look up 217.0.70.202: Tempor�rer Fehler bei der Namensaufl�sung
  3  217.0.70.202  774.735 ms   954.309 ms   951.729 ms
  4  f-eb5.F.DE.net.DTAG.DE (62.154.17.58)  959.488 ms   956.341 ms   954.622 ms
  Unable to look up 62.156.128.98: Tempor�rer Fehler bei der Namensaufl�sung
  5  62.156.128.98  952.688 ms   950.192 ms   947.157 ms
  6  xe-1-1-0.r21.frnkge03.de.bb.gin.ntt.net (129.250.2.12)  945.831 ms xe-3-2.r00.frnkge03.de.bb.gin.ntt.net (129.250.2.224)  1057.346 ms xe (129.250.2.12)  941.213 ms
  7  xe-1-1-0.r20.frnkge03.de.bb.gin.ntt.net (129.250.2.240)  936.730 ms xe-1-0-0.r20.frnkge03.de.bb.gin.ntt.net (129.250.2.148)  935.858 ms weather.yahooapis.com (129.250.2.240)  933.733 ms
  8  p64-3-3-0.r22.londen03.uk.bb.gin.ntt.net (129.250.2.20)  1454.861 ms   1451.347 ms   1447.583 ms
  9  as-0.r20.nycmny01.us.bb.gin.ntt.net (129.250.3.254)  1502.022 ms   1499.417 ms   1497.563 ms
  10  ae-0.r21.nycmny01.us.bb.gin.ntt.net (129.250.2.26)  1496.065 ms   1492.416 ms   1516.930 ms
  11  p64-2-0-0.r20.chcgil09.us.bb.gin.ntt.net (129.250.5.4)  1537.698 ms   1534.473 ms   1538.654 ms
  12  * * *
  13  xe-3-3.r01.chcgil09.us.ce.gin.ntt.net (129.250.208.6)  1620.979 ms   1613.415 ms   1606.714 ms
  14  border5.te8-1-bbnet2.chg.pnap.net (64.94.32.74)  2091.983 ms   2070.137 ms   2070.590 ms
  15  blog.zeit.de (66.150.96.119)  2069.386 ms   2066.851 ms   2064.191 ms
--------------------


My guess is that somehow the routing is wrong, however, I can not
reproduce this behavior. The domain names that get mixed up are kind of
random. It only stays that way for about 5-10 minutes.

Any tips at where I can start???


-- 
mR10Beal
------------------------------------------------------------------------



0
mR10Beal
10/7/2008 12:26:01 PM
opensuse.org.network-internet 6943 articles. 0 followers. Follow

5 Replies
37784 Views

Similar Articles

[PageSpeed] 17

The initial resolution of 'Google' (http://www.google.de) appears to be
wrong. What nameserver(s) are you using? Are they your ISP's
nameservers? It could be somebody attempting a DNS poisoning attack on
BIND.


-- 
ken_yap
------------------------------------------------------------------------
ken_yap's Profile: http://forums.opensuse.org/member.php?userid=221
View this thread: http://forums.opensuse.org/showthread.php?t=396969

0
ken
10/7/2008 2:26:01 PM
Thanks for the quick reply ken_yap!
I was thinking about that too. My /etc/resolv.conf only has my local
router as name server.
I checked the local net with wireshark and didn't notice anything
suspicious, though. 
My router uses 217.237.150.205 (primary) and 217.237.149.142
(secondary) as name servers. If I look them up with dnsstuff.com they
are inside the ip range of my provider but how can I check if they are
real name servers?


-- 
mR10Beal
------------------------------------------------------------------------
mR10Beal's Profile: http://forums.opensuse.org/member.php?userid=12753
View this thread: http://forums.opensuse.org/showthread.php?t=396969

0
mR10Beal
10/7/2008 3:26:01 PM
They probably are real name servers belonging to your ISP, a reverse
lookup shows that they are in t-ipnet.de but they may not have been
patched (surprising lapse of your ISP if true).

Go to 'DoxPara Research' (http://www.doxpara.com/) and on the RHS you
will see a DNS checker. Click on it and wait for the results. If it says
your nameservers are vulnerable, your ISP should be notified
immediately. You, not somebody else, have to do this check because you
are using their servers.


-- 
ken_yap
------------------------------------------------------------------------
ken_yap's Profile: http://forums.opensuse.org/member.php?userid=221
View this thread: http://forums.opensuse.org/showthread.php?t=396969

0
ken
10/7/2008 3:56:02 PM
Hi! Sadly that's not it... I actually remembered the page after I
checked this...
Is there a way to do that to the router?


Code:
--------------------
    Your ISP's name server, 217.237.150.204, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.Requests seen for 7a7b7580c14a.doxdns5.com:
  217.237.150.204:54856 TXID=4812
  217.237.150.204:27422 TXID=4607
  217.237.150.204:23980 TXID=27318
  217.237.150.204:19836 TXID=27501
  217.237.150.204:38924 TXID=36478
  ISNOM:ISNOM TXID=ISNOM 
--------------------


-- 
mR10Beal
------------------------------------------------------------------------
mR10Beal's Profile: http://forums.opensuse.org/member.php?userid=12753
View this thread: http://forums.opensuse.org/showthread.php?t=396969

0
mR10Beal
10/7/2008 9:46:01 PM
Your router is just a forwarder so the actual request would come from
your ISP's nameserver anyway.

Sorry, no more ideas on this one. Maybe try setting your computer to
use your ISP's nameservers directly to see what happens?


-- 
ken_yap
------------------------------------------------------------------------
ken_yap's Profile: http://forums.opensuse.org/member.php?userid=221
View this thread: http://forums.opensuse.org/showthread.php?t=396969

0
ken
10/7/2008 10:26:01 PM
Reply: