2008-06-18

My router wants Taiwan

Every so often – actually, every so seldom – my Zyxel Prestige 660R-61 ADSL router will enter the strangest failure mode you can imagine. Everything works except I'm unable to resolve DNS names, giving the immediate impression that the entire internet has disappeared. (I once had a smart, brilliant coworker burst into my office and announce that this was a big moment in the history of the internet: Google had gone down! Turned out that our nameserver had fallen ill, and the web addresses he had used as a control group happened to be cached locally).

No, lacking DNS is not in itself strange. The strange thing is how this lack arises.

See, every time I send a DNS query packet from one of the several computers behind the router, what comes back is a response packet that purports to tell be the IP address of www.kimo.com.tw. Apparently the router is not trying to falsify the address of the host I want to find. I ask about, for example, www.google.com, and back comes a packet saying (translated from RFC-1035 speak): "Thank you for your inquiry about the IP address of www.kimo.com.tw. It is my pleasure to inform you that the IP address of www.kimo.com.tw is 207.69.188.186".

It's always www.kimo.com.tw. It's always 207.69.188.186. It only happens for UDP queries; DNS over TCP is unaffected. It's not the nameserver at my ISP that misbehaves; I get the same pattern when I ask a root server about "com.". I don't know whether the router rewrites my outgoing requests to be about www.kimo.com.tw, or responds with a stock reply on its own, or rewrites incoming answers. I don't know whether it affects UDP packets not to/from port 53.

This has happened two or three times over a period of several years. It seems to tend to follow downtime on the ADSL connection. But whenever it happens, rebooting my local router clears the problem. It's very strange.

Is the router getting infected with some malware? I have a hard time figuring out what said malware could be attempting to achieve. Because the name in the reply does not match that in the request, the resolver on my local computer will just fail instead of return a wrong answer to the application.

After intensive web searching the best I have been able to find is this page in Russian, which judging by Google's translation seems to describe exactly this syndrome. Apparently it is claimed that no malware is involved, but I cannot make sense of the machine-translated explanation of what actually happens.

7 comments:

  1. I've had several bad experiences with ZyXel routers and UDP traffic in the past:
    http://inside.echobit.net/archives/2007/12/01/dont-trust-your-router/

    On top of that, it seems their firmware is shared across many of the different router models and the (UDP) bugs therefore show up pretty much in all of them. (Don't get me wrong, though. Reuse is definitely good - it's just unfortunate if it causes bugs to be replicated.)

    ReplyDelete
  2. UDP sure seems to be underappreciated by router manufacturers. A favorite horror story at the place I work is about a router that would try to make its NATting transparent by replacing the LAN-side IP address of the sender with the WAN IP in each outgoing UDP packet -- by blind nondiscriminating search-and-replace regardless of source and destination ports! Things would go wrong whenever those four magic bytes turned up in application-level payloads.

    ReplyDelete
  3. just noticed this in mine too. i did a reboot of everything - pc, router, etc, and just for the hell of it i was in command line, pinged google, and saw this:

    me - ping google.com

    pc - pinging www.kimo.com.tw [207.69.188.186]...

    me - what the hell?

    ReplyDelete
  4. Same thing here, but with a twist. Whatever I request the DNS to resolve, it always comes back with the same host and its ip address as 207.69.188.186, which is the advertised DNS server at earthlink, my ISP. I noticed this is the same address mentioned in the Russian site. I'm suspecting some hijacking going on, but for what?

    ReplyDelete
  5. Never had this problem before, but I've also being experiencing it regularly on my Zyxel 2602. When it goes into "broken DNS" mode, it always returns 207.69.188.186, for *any* DNS requests, wether the name exists (or is sane) or not. Frustrating, no fix found yet.

    ReplyDelete
  6. t did it again this morning. This time I had the presence of mind to note down the IP address in the response. Indeed it is 207.69.188.186, as reported by the three previous commenters. (Article edited to include this number, for better googlability).

    In addition to the Russian page about the phenomenon, Google now finds a Vietnamese one, at http://www.ddth.com/showthread.php?t=109226 ...

    ReplyDelete
  7. ever since I upgraded to Leopard on my mac a few months ago, my mDNSresponder process has been periodically trying to connect to

    207.69.188.186
    and
    207.69.188.187

    I know that's a slightly different problem than y'all are encountering... but this is the closest page to anything helpful that googling has found for me yet.

    ReplyDelete