Chances are slim to none that my readers have been infected by DNS changing malware, but it’s always nice to check. For those of you that don’t know much about how DNS works, or just want more information, you can read more about it here:
There are several ways to confirm if you DNS server has been compromised, two of which are by either running ipconfig from cmd, or by clicking on this link: http://www.dns-ok.us/
DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as http://www.fbi.gov, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment—without them, you would not be able to access websites, send e-mail, or use any other Internet services.
Criminals have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or to interfere with that user’s online web browsing. One way criminals do this is by infecting computers with a class of malicious software (malware) called DNSChanger. In this scenario, the criminal uses the malware to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal. A bad DNS server operated by a criminal is referred to as a rogue DNS server.
I know some of you might be thinking “why would I let the FBI scan/check my computer,” but fear not, as all the site does is check the IP address of the DNS server your system is using. You can easily do this yourself and cross-reference what ipconfig shows you, with what are known to be rogue DNS servers. Here are the instructions if you wish to check for yourself:
If you are using a Windows computer, open a command prompt. This can be done by selecting Run from the Start Menu and entering cmd.exe or starting the command prompt application, typically located in the Accessories folder within Programs on your Start Menu.
At the command prompt, enter: ipconfig /all
Look for the entry that reads “DNS Servers……….”
The numbers on this line and the line(s) below it are the IP addresses for your DNS servers. These numbers are in the format of nnn.nnn.nnn.nnn, where nnn is a number in the range of 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the following known rogue DNS servers:
220.127.116.11 through 18.104.22.168
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
220.127.116.11 through 18.104.22.168
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
To make the comparison between the computer’s DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you should be fine. If your servers start with any of those numbers, continue the comparison.
If the IP addresses of your DNS server appear in the list above, then the computer is using a rogue DNS.