Thursday, January 4, 2018

Dealing with DNS spoofing in China

Started getting complaints from customers in China they can't access our website, or in some cases get redirected to Facebook. So I fired up a couple ThousandEyes mainland China cloud agents and see rather than the normal AWS elastic IPs, anything in one of our sub-domains is resolving to these IP blocks:

  • 31.13.65.0/24 (owned by Facebook...yep https://31.13.65.17/ even has a valid FB cert)
  • 173.252.96.0/19 (owned by Facebook)
  • 69.63.176.0/21 (owned by Facebook)
  • 199.16.156.0/22 (owned by Twitter)

Oddly, hostnames in our parent domain resolve just fine. So this is clearly a per-domain override they're doing. Hong Kong and Taiwan also are not affected, nor is anywhere else in Asia.

Anyone seen this and worked around it? I've suggested bribes but only have $45 cash in my wallet and don't speak Mandarin.



No comments:

Post a Comment