Forum Moderators: open
I was notified by a person in New Jersey (I'm in Washington state and my web site is hosted in Virginia) that when he clicked on my link in the search engine results sometimes he would be sent to my site, but other times he would be sent to an adult site. Sometimes the adult site would come up first and other times it would take several clicks on the same link, but the adult site would come up eventually.
I tested and the same thing happened for me too. The problem occurs with either first or second ranking links to my site or with other links way down in the basement. I tried different search engines and different browsers and got the same result. I've tried the same thing with links to other sites in the results, but mine is the only one that goes to the adult site.
I notified my web site host, who is extremely fast and helpful with support, but he couldn't duplicate the situation and says everything is ok with the servers.
My page views which are generally around 4000 to 5000 per day are down by 1000 to 1500 per day, so I know something is haywire.
I thought about browser hijack, so I took an old hard drive, fdisked, formatted and made a fresh install of Windows, fresh download and install of Firefox, ZoneAlarm and AVG anti-virus. I got the same result with the adult site.
I checked in Google's directory and clicked on my link and I got the same problem, sometimes my site and sometimes the adult site, but when I went to DMOZ directory and clicked on my link only my site came up with a dozen clicks. I have a page of links to my pages on my computer and none of those links come up with the adult site. I've gone to other web sites that have a link to my site and the adult site doesn't come up when those links are clicked. It only seems to be happening with search engine results links.
When the cursor is held over the link in the results my URL shows in the status bar, even when the adult site comes up.
I've read of hijacking web pages in the forum, but nothing quite like this, they aren't duplicating my page content the resulting adult page is pretty brazen and definitely doesn't appear as being associated with my site.
I have information about the adult page, it links to several other adult sites and is apparently put up by an affiliate of the sites. I had planned to notify his ISP, but the information I've gathered indicates that the ISP may be involved or is the culprit.
Reading an older post gave me the idea to check domain names and I discovered that someone has recently gotten a domain with the same name as mine, but with net instead of com. Preliminary checking doesn't show that he's involved with the other problem, but I haven't done any deep checking yet.
I've tried inurl: and inanchor: and they don't show anything unusual. My position in the search engines are the same, although the problem has only been going on for a short period of time.
Besides giving my web site a bad name by association the thieves are stealing a lot of visitors from my site, or at least preventing them from visiting, and playing heck with my retirement income.
I've notified Google and Yahoo, but haven't heard back from either of them.
Any help would really be appreciated.
[edited by: tedster at 3:30 am (utc) on April 10, 2006]
[edit reason] fix formatting [/edit]
I checked my host and they FAIL the open DNS test. Could having an open DNS problem also cause this strange intermittent behavior or am I still way off on figuring out this problem?
*btw, this problem has existed through multiple fresh installs of windows and I use firefox with java disabled.
I checked my host and they FAIL the open DNS test. Could having an open DNS problem also cause this strange intermittent behavior or am I still way off on figuring out this problem?
Absolutely. It can also occur if you have spyware installed.
I KNOW how to do that.
I will see whether this is the case.
I KNOW how to do that. I will see whether this is the case.
Would you be kind enough to share the process of determining how a site has been hijacked through cache poisoning? This way all of our readers can do their own investigative work. ;)
The DNS cacheing appears to be the method the hijacker is using. The first time I had the problem it stopped by itself, which would indicate that it probably dropped out of the cache. I would imagine that the hijacker knows how things work and makes the rounds periodically to renew their malicious mischief on vulnerable DNS servers.
I've experienced periodic slowdowns for years that I haven't been able to figure out and I've never had the revelation, "Aha, check the links in the search engines to see if they're being hijacked".
After I read the forum I went looking further on the Internet for more information and it abounds when you know what to look for. It appears that the problem has been around for a long time, but most of the information is in more technical terms and not the terms an average webmaster of an average site would use for research on his problems of that nature. This forum may remedy that, or it might be good for a DNS knowledgeable person to collaberate with an average person to kind of average down (I don't like the word dumb) the information in a paper to publish.
My web site host is a definite plus. He's the fourth in eight years and I've been with him for over a year with no complaints. I've only had a couple of minor problems, which he took care of immediatly after answering my email within minutes or hours, rather than days which seems to be the norm nowdays. I started with this host at the recommendation of Fred Langa in his LangaListPlus.
It seems that many hosts and ISPs have open DNS servers as shown by dnsreport.com, some that have been around for as long as I can remember, but it seems that it's only been relatively recently that it's been realized what a problem that it can cause. From what I tested it was more like 90% open rather than 75%. I feel assured that my host will take care of the problem as soon as he's made aware of it.
I really thank everyone who helped with information about my problem, especially pageoneresults and tedster who really got the information rolling.
Tom56
I really thank everyone who helped with information about my problem, especially pageoneresults and tedster who really got the information rolling.
Actually, I think we should be thanking you Tom56. If it weren't for your discovery, we wouldn't have been able to brainstorm at the public level and pinpoint the problem. Cache Poisoning is not a topic that I've seen discussed at great length yet at WebmasterWorld. It will be now! ;)
All of us here are hoping that many webmasters and server administrators are following these topics with grave concern. After I discovered search engine marketing from the server side, I found out that DNS could be the cause of over 50% of the problems being discussed here at WebmasterWorld. In fact, I'd even go on record to say that more than 60% of problems are related to DNS. The more information I assimilate, the more I can tie various topics in with technical issues as opposed to on-site issues.
[edited by: pageoneresults at 4:40 pm (utc) on April 10, 2006]
Move hosts is the simplest way in the long run to beat this.Your host has been compromised.
Well, only your host's DNS servers have been comprimised. An easy quick-fix is to switch to a third-party DNS service. There are some good ones that are pretty inexpensive, and definately won't have this problem. That would solve the "class C" problem, as well. (Third-party DNS services are generally pretty good about proper geographic location of their servers - your servers will be in different cities, not all sitting in the same rack...)
In the long run, though, the above comment may be right. If your host doesn't take this seriously and fix it, I'd be moving on. No telling where else they've been successfully attacked. Switching to third-party DNS servers could give you some breathing room, though, to find and transition to a new host.
I'm guessing that your host is an old-school local ISP. Bet they provide Internet access for customers in a local area (dial-up, DSL, etc.) and ALSO host websites.
I suspect they are using the same DNS servers to provide recursive DNS service to their Internet access customers and also to provide DNS to their hosting customers.
This is a definate no-no, but was common in the past.
Nowadays, these functions have to be done on seperate servers. A recursive DNS server (that is, one that answers queries for any domain, contacting whatever other DNS servers are needed to resolve the query, then caching the result) should ONLY perform that function. A recursive server should NEVER be used as an authoratative or backup server for a domain!
I wanted to break this topic out into two different sections. Since we determined that Tom56's problem is most likely a case of Cache Poisoning, I though a topic specific to that would be in order.
"Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004)."
I have some idea what all that means ... but don't really understand all of it. Is it safe to just go ahead and use the link provided to add an SPF record? Will this cause any troubles for my host?
In fact, spammers have been using my addresses for quite some time, but I didn't know there was anything one could do about it!
Is it safe to just go ahead and use the link provided to add an SPF record? Will this cause any troubles for my host?
Hi Liane, I would have your host take care of it. Just send them the link to your DNS Report and let them know there are warnings that need to be addressed, particularly the SPF Record.
> I tried a ping and tracert from a remote web site and it ended up at a different domain, but my web site host says that's his data center that owns the IP ranges
I found this from Tom56 quite suspisious, actually, though I definitely lack precise knowlege. My websites always had permanent IP-adresses, that never changed; maybe this is different with shared webspace. I'd love to know how Tom's hoster finally reacted.
Great resource this thread, yes.
This is relatively easy to fix, but I'd like to know how important this really is.
That one gets flagged as a Warning and the report describes to you what may happen if you do not have those two specific email addresses. They are required and they do reference the RFC for backup.
abuse@example.com is absolutely mandatory if you are moving into a Trusted Email environment. In fact, you'll want to address most, if not all of the Warnings on the DNS Report, particularly when it comes to your MX Records.
I tried a ping and tracert from a remote web site and it ended up at a different domain, but my web site host says that's his data center that owns the IP ranges
Two possibilities here:
1. You are on a shared, virtual-domain server. The domain name that you get on a ping should be in the hosting company's domain. (Some hosts misconfigure this, and you get the first shared server configured on the server. NOT good!) This really is only suitable for personal or hobby sites. I'd get a dedicated IP address (you can still use a shared server, virtual-IP).
2. Your hosting provider failed to set-up "reverse DNS" for your site. Ask them to set this up, so that ping/traceroute return your domain name, rather than theirs.
FWIW, I don't advocate "have your ISP do this for you" as others do.
You are MUCH better off learning how to configure DNS, going to a third-party DNS provider, and taking full control of YOUR domains.
As you can see from this thread and others, DNS seems a mystery to many/most webmasters. It shouldn't be a mystery. It doesn't take a lot of effort to learn. It's a dark hole that too many ignore. Take control of it and you will have a leg up.
Later in the year I found a URL on one of my pages that I hadn't put there. Shortly before that, I had gotten an email from an automated link exchange service I was using (and which has access your FTP), asking if my site had any "excellent rankings" on the SERPs. Apparently they had figured out my IP, because I didn't see the link on my own computer, but on a friend's.
Anyway, I have sent the URL of this thread to my current webhost, thanks a lot for the expertise.
I'm guessing that your host is an old-school local ISP.
Mine is not. It is a major, respected hosting company and I will guess that many here at WW host with them. I won't name them as that is probably not allowed here.
While we can fix this for each domain, should we also notify the hosting company? I am guessing the answer is yes, but please confirm.
An easy quick-fix is to switch to a third-party DNS service. There are some good ones that are pretty inexpensive, and definately won't have this problem. That would solve the "class C" problem, as well.
This stuff is beyond me but... will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)? I think the answer is no, the IP is the same, you would just be using a third party DNS service. Was wondering if a third party DNS service could be used to get different class "C"'s. I don't interlink my sites but reading Google's patents these days freaks my out at times.
Great thread, thanks to all!
While we can fix this for each domain, should we also notify the hosting company? I am guessing the answer is yes, but please confirm.
Confirmed. ;)
Will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)?
No. <edited>
Was wondering if a third party DNS service could be used to get different class "C"'s.
No. <edited>
I don't interlink my sites but reading Google's patents these days freaks my out at times.
It's always good to be alert to issues such as this. If you've not had any problems up til now and your host passes all the DNS tests, then you should be fine. But again, it never hurts to cover all of your bases.
[edited by: pageoneresults at 12:25 am (utc) on April 11, 2006]
Great stuff, great stuff. So, mental note to all the webhost tech support staff out there, try changing your workstation's DNS when trying to troubleshoot a customer's problem :)
Cheers
Will using a third party DNS service give us an IP that is not with our hosting company (and therefore in a different class C block)?Yes.
Was wondering if a third party DNS service could be used to get different class "C"'s.
Yes.
Far be it from me to disagree with 'the man', but I believe this is incorrect. Isn't your site's IP address provided by the host, since that IP must be attached to a network card on the server itself?
While a third party provider will give you a DNS record that isn't associated with your host, ultimately, that DNS record will point to the IP provided by the host.
I would love an explanation if I am incorrect.
I would love an explanation if I am incorrect.
Me too! I may be incorrect and please do let me know. I'm researching and assimilating this stuff as quickly as I can and the last thing I want here is any information that is incorrect.
Thanks for calling me out! :)
Go ahead, knock that battery off my shoulder. ;)
P.S. After reading this again, you are correct. The IP address will come from your web hosting provider, not your DNS provider unless of course they are one in the same. I've edited the above reply to reflect that, my apologies.
I have several dedicated servers. On one in particular, I utilize an alternative DNS method (DNS zone file settings in eNom). For all domains located on that server, I use an "A Record" entry (pointing to the IP address allocated to that server) for "@", "WWW", and "Other" entries in my Host records setup (also has URL Redirect and URL Frame enabled), rather than pointing at regular DNS servers per normal. This facilitates ultra fast switching to backup servers in case of any server issues.
I too have been having problems that seem like those mentioned in this thread. But dnsreport.com checks on the domains don't show any major problems (just a couple of warnings concerning mx records, as I don't have any for one domain, and a minimum SOA value warning).
Although I have never really had any problems (other than the obligatory problems with Google & Yahoo that most other webmasters are having), I would like to get opinions from others about this scenario, as I have been seeing drops in traffic, exactly as described in this thread.
That discussion started with a DNS Report warning. The warning is that your DNS servers are not on seperate Class C networks. That warning has absolutely nothing to do with your web site's IP address. They are talking about the IP addresses of your DNS servers.
So, what's this all about?
There's nothing inherently wrong with your DNS servers all being on the same Class C network. DNS Report uses this as an indicator, though, that your DNS servers may not be geographically-dispered. If your DNS servers are all on the same Class C Network (i.e. first 3 octets are the same), there's a high liklihood that they are physically in the same place. Your DNS servers aren't supposed to be all physically in the same place.
But some hosting providers give you a primary and secondary DNS server that may be located in the same city, same room, or even the same rack.
That's not desirable. It's best when each of your DNS servers is in a different part of the country - or even world. For example, I have 5 DNS servers. 3 are in different parts of the U.S., one is in Europe, and one is in Asia.
(Actually, I have more than 5 DNS servers, but they are transparent - hidden behind 5 IP addresses. My DNS provider uses IP Anycast Routing. They actually have servers in 11 cities. Using IP Anycast, packets are routed to the NEAREST server.)
By using a third-party DNS provider, you address the "class C" warning, because most if not all third-party DNS providers host each of your DNS servers in a different city. This is what your hosting provider SHOULD do, but many do not.
In "the old days", this was typically handled by informal reciprical agreements. You'd find another site willing to host your backup DNS, and you would host their backup DNS.
I've gotten so involved with this that I'm in over my head now! But, I'm going to see it through and learn everything I can so I can speak with some level of authority when these topics come up again. What I might suggest is that you have your server administrator go through their DNS setup with a fine tooth comb and make sure that everything is the way it should be. And this is where it gets tricky. If the person has only a basic understanding of DNS, enough to run a server and host websites and resolve them correctly, that is usually enough to get by. But, there are some other more advanced issues that need to be addressed to cover your arse just in case. ;)
The feedback I've received and assimilated tells me that your server should not allow this to happen, I'm referring to the symptoms you described in your opening post and subsequent ones. This shouldn't happen to Authoritative DNS Servers. It could happen to a DNS Resolver. That opens up another can of worms. If your host is using Windows and is forwarding requests to a BIND 4 or BIND 8 DNS Recursive Resolver in the upstream, then there are potential issues. That's all I can comment about on that one. More for me to research!
Bottom line, you may not be out of this situation just yet. Your server administrator should double check everything on the DNS side to make sure that there are no stones unturned. If the host has determined that they've done everything correctly, which is probably true, you can only wait it out and see if it happens again. If it does, there are organizations online that may be able to assist your host in determining where the problem is.
Good luck and my sincere apologies if I created any unwarranted fear within the WebmasterWorld community. That was not my intention. But, I would still like to instill fear in you if your servers fail the DNS Report for Open DNS Servers, that one needs to be fixed!
Something like this seems to take trial and error until a few become proficient in the knowledge and can pass more definite information on to others. It's understandable that there can be errors.
There are so many variables and it seems that each time something is figured out the bad guys find something new. It's probably good for a little fear to have been created to make people sit up and take notice.
