Join Log in
Score:0
Felipe avatar Server

Subdomain with variable IP

cn flag
Felipe

Subdomains like http://3qax.munzer.webproxy.idc-lorien-apiver01-repay-action.bh-arppofind.comssets.mealcardhss-int-bh-awwwppofind.wire.2.homeetingroom.walmartmobile.cn presents a behavior that when I ping it (or traceroute it), the IP keeps changing. Sometimes it is an IP owned by Twitter, other times an IP owned by Facebook (31.13.80.1), other by Dropbox (162.125.32.5) and sometimes can't resolve to an IP.

What is the idea behind this type of behavior?

78
0 + 0
ip
Score:0
avatar Server
tn flag
studentmain

This domain's authoritative DNS server is located in mainland China, so if you (or your DNS server) query this domain from outside China, request will across the Great Firewall. "proxy" is in Great Firewall's block list, then it will reply with a fake answer. Great Firewall is closer to you than authoritative DNS server, so it's fake answer will arrive first, then you'll see those "variable IP".

Query a non DNS server in China from outside of China, with a non-exist domain, you can observe those Great Firewall's behavior better:

dig @www.gov.cn nxdomain.webproxy.idc-lorien-apiver01-repay-action.bh-arppofind.comssets.mealcardhss-int-bh-awwwppofind.wire.2.homeetingroom.walmartmobile.cn

Old answer:

DNS server can provide different answer to same domain name, for example: DNS round robin and GeoDNS.

But there are other possibility, it seems like your DNS response is modified by a middle box, can you do these tests (assuming you are using Linux)? Are you live in China? Which DNS server are you using?

  1. ping www.google.com.hk.a
  2. dig 3qax.munzer.webproxy.idc-lorien-apiver01-repay-action.bh-arppofind.comssets.mealcardhss-int-bh-awwwppofind.wire.2.homeetingroom.walmartmobile.cn +tcp
  3. dig @11.0.0.0 3qax.munzer.webproxy.idc-lorien-apiver01-repay-action.bh-arppofind.comssets.mealcardhss-int-bh-awwwppofind.wire.2.homeetingroom.walmartmobile.cn

(I have not enough reputation to post a comment, So I can only ask these question in answer)

0 + 0
Felipe avatar
cn flag
Felipe
I don't think the issue is a middle box, if you check the subdomain with a tool such https://tools.keycdn.com/dig you will notice that the many locations have different responses. I am not in China, I am in Brazil. Also, the strange behavior is that the IP that resolves most of the times is from Facebook, but it happens to be from twitter, dropbox and cloudflare, so I don't think it is just the result of a load balancer... Any other idea?
0
Reply
tn flag
studentmain
@Felipe You live outside China, such domain's DNS server (according to `dig +trace`, it's `dns9.hichina.com`) is inside China, it's DNS response to you can be modified by so-called GFW.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.