My router passes the router checker, but other tools say dns hijack vulnerability

Scholar

My router passes the router checker, but other tools say dns hijack vulnerability

Hi, 

          While thanking you for providing an excellent tool after some times of deep update, i wish to state that while my router pass your check, some other programs say, that my dns server by ISP has already been hijacked and hence asked me to change the dns to google.com. When changing the same to google dns, scan by the software , does not show any vulnerability. It shows two sites as hijacked domains. It selects some sites for purpose of its scan and two of them are said to be hijacked domains. what is the connection between my dns server and hijacked domains. Are they hijacking my dns or these domains are compromized by some attackers to use.

                    I have done maximum to change default user pw, enabled dos settings, disabling tr069 etc , but still face this issue.

17 REPLIES 17
Superuser

Re: My router passes the router checker, but other tools say dns hijack vulnerability

 

Spoiler

Hello,

 

Not an answer, but just as temporary suggestion:

 

--> Because I not sure if there will be proper response from F-Secure team (at least, briefly) - maybe you able try to use feedback-mail, which noted under this page:

https://www.f-secure.com/en/web/labs_global/router-checker

 

As direct letter to F-Secure Router Checker team with explanation. And maybe they able to investigate such situation more (with required information)?

 

Thanks.

 

 

Scholar

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hi, Thanks for reply. But once i sent to support, about my query. I was not informed of any reply. But anyhow, the answer was there in the website. I asked for ! in the router scan, that could not fully scan my computer. After sevendays, i went to the same page, and found it was working. Definitely i will raise this issue in feed back. But aside from that , would you be able to answer the general queries raised over there regarding dns hijack, leaving the specifics Do you mean support ? where is feed back in that page.

Superuser

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hello,

 

Just as clarification - I'm not an official F-Secure stuff. So - there is just my own suggestions as F-Secure user (their home solutions and user of this community);


 

Spoiler

Yes, such situations possible there (when support-request with no result) but it should not be like that; But I also have such experience. And, yes, community can be also helpful and useful;


With my experience this URL: https://www.f-secure.com/en/web/labs_global/router-checker

About common description for F-Secure Router Checker; And there available next part of page:

Giving Feedback

We would appreciate your feedback on this service! Please send your comments via e-mail to:

where added mail-address as picture (as prevent spam maybe). With my own view - situation, when some tools give a notification that there can be troubles (DNS  hijack), but with F-Secure Router Checker there all OK -> it something which can be as useful feedback for improve such service. At least, under community was something as potential point to research (trouble, which asked by user) - but I not sure if there was something as investigation; and it not quite good.

 

Sorry if I wrong understand your reply - but my meanings was about something as "creating letter to this certain mail-address" (as direct?! contact for F-Secure Router Checker team) with your information and query (what if they able to create some proper advices);

 

Also (with provided URL) there available legacy tool -> "Legacy Tool: DNSChecker" - which maybe can not be too much useful (but as try - you able to check it);


 

As my own suggestion about your experience... it not really clear about some points (but I'm also not really friendly with this things):

 

--> which tools give a notification/prompt that there troubles (DNS hijack)? and, yes, when there noted hijacked websites - maybe it means that certain resources was 'hacked' (?!) generally;

--> when you noted that "vulnerability" - does it mean that there just potential "vulnerable"-point for such attack (?!) and it was detected?

--> when you use F-Secure Router Checker ( https://campaigns.f-secure.com/router-checker/en_global/ ) with button "Check your router"; With my experience - if there all OK - it give such notification: that there "no troubles found" and spoiler "> See technical details of the results";

 

Where "technical details of the results" about additional information (DNS IP, ISP and related things); If you do not use VPN (or other) - there should be information about your ISP; Or information, which expected by you. Does it valid with your experience?

 

Thanks. 

Scholar

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hi, Ukko,I saw all your points . the avast scan shows the vulnerability of dns hijack. I think, that it scans certain web addresses and prompts you the alert.

By changing the dns to google dns, the alert vanishes with no problem report.In Your link, only community link was given. But there must be some administrator for the forum as such. They must see the contents of each of the users and take necessary action. Just by giving, that they want feedback, but do not get any response is not a nice thing.

                         when i close, a feed back window asks me for a feed back, which i gave and successfully submitted. But i do not know anything after that. I do not think it nice to more information of the other programs here, as both are having similar products

Superuser

Re: My router passes the router checker, but other tools say dns hijack vulnerability

@jraju wrote:

Hi, Ukko,I saw all your points . the avast scan shows the vulnerability of dns hijack. I think, that it scans certain web addresses and prompts you the alert.

By changing the dns to google dns, the alert vanishes with no problem report.In Your link, only community link was given. But there must be some administrator for the forum as such. They must see the contents of each of the users and take necessary action. Just by giving, that they want feedback, but do not get any response is not a nice thing.

                         when i close, a feed back window asks me for a feed back, which i gave and successfully submitted. But i do not know anything after that. I do not think it nice to more information of the other programs here, as both are having similar products


 Hello,

 

Yes, on current time and today - I also able to see just community-reference (from URL page);  Smiley Sad

Eventually I used F-Secure Router Checker page yesterday and mail-address was there yet! So, it changed today/yesterday... or maybe you always was with more updated page-view (than with my experience);


And sorry for my fresh reply. Most likely you able to re-ask some certain points there (with your next reply) and I also will expect that there can be response from official F-Secure team; About general meanings of topic or certain points. It will be nice and good.


I also did brief search about Avast DNS Hijack router scans and there some stories by different users. And with my understanding - there can be quite many potential reasons for their "notification" about troubles (including situation when it not reasonable; and more like "false positive").

At least, if we ignore points like ISP, router with certain firmware, suspicious extensions/addons under browser or malicious software under system --> which able to perform some "strange" activities for Avast checks. There was also point with VPN as trigger for such notification. With my understanding - worst point there that they do not provide any technical words about trouble. What "certain trigger" or something else. As it was suggested there -> Forum for Sky Wireless router (?!) with related topic about Avast scan  - even there can be false-positive -> maybe anyway you able try to launch some "doublecheck"-scanners like Malwarebytes AdwCleaner or tools like HitmanPro; As additional to full scan by your main security solution (and other ticks - which you already did);

 

Thanks.

Highlighted
Scholar

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hi, ukko,

                 I further gone deep in the matter. It is ares scanner that means ip address scanner that gives this alert. When all ips has resolved to get the ip from the web address, i find that there are two domains that is not resolved to prompt, that it goes elsewhere prompting dns hijack. The dns just changes your domain name to ip to fetch you the correct and corresponding ip. So, i think that the scan tests for resolving name to ips and if there are no return response, or not resolved it shows the alert. but the alert is not shown as vulnerable, it says dns hns hijacked, meaning that the system is already compromized. Here , i get confused with one software saying that there is no problem and other says that it has....I did not get useful reply from the vendor

Superuser

Re: My router passes the router checker, but other tools say dns hijack vulnerability


@jraju wrote:

So, i think that the scan tests for resolving name to ips and if there are no return response, or not resolved it shows the alert. but the alert is not shown as vulnerable, it says dns hns hijacked, meaning that the system is already compromized. Here , i get confused with one software saying that there is no problem and other says that it has....I did not get useful reply from the vendor


Hello,

 

I think that there should be.. additionally.. design like "return unexpected response"; If they will check that, for example, "google.com" return proper IP (but not third-party page); Generally if there configured any "own" redirects (by any of layers) it can be suspicious for such checks.

 

With my previous reply I noted URL for Sky-forum, where also discussed Avast with certain "DNS hijacked"-trouble.  Some responses was with meanings that there possible if their "router" perform some 'internal' redirects (when there troubles with network connection); Most likely it can be valid for most of routers, ISP-configurations; And also with meanings that trouble (for user) fixed by removing potential adware under system (?!);


Difference between "check"-results probably based on situation that F-Secure Router Checker just perform another kind of "validation". With general view that there "known" DNS-server (or trusted and with proper-result); As it noted under web-page: "router configured to use an authorized DNS server";

But... I not sure if there should be something else or handling situations (which "trigger" Avast prompt for DNS Hijack - if there not "false positive"/wrong detection); So - quite good to get proper response/clarification from F-Secure Router Checker team.

 

Sorry for my long replies. Smiley Sad

 

Thanks.

Community Manager

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hi jraju,

 

Apologies for the delay in replying here. I have already highlighted your post in order to get more information about the Router Checker. Once I have an update about this, I will get back to you with further information.

 

Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Scholar

Re: My router passes the router checker, but other tools say dns hijack vulnerability

Hi, I also want to mention about one strange scenario.

                   You have protected your router by changing the admin password and other enable protection from Denial of service attacks and other settings, so that you are safe.

                      Everybody knows that external ips are allocated to the users by their ISP for each log in, for dynamic ip address users. i do not go deep in to the allocation, but is it not that if a compromised computer user ip is given to you on your log on time, will the security settings work and can one say that he is safe from router and network attacks,  I raise this question, as no fault of a user, his computer is getting spam alert from some of the genuine sites he often visits to provide more capcha options, maths questions to gain access , or to log in after some time to get a different dynamic ip which is not affected by any attack like spammers etc.

                       Is my presumption correct?or the system has nothing to do with external ip login please any expert advice