*EDIT* Having solved this problem I’m now not entirely happy that the title of this post is entirely accurate. Maybe it should read ‘DNS Redirection Problems Resolved’ that came about not because of misconfiguration or a misunderstanding of the workings of DNS but as a result of something quite different…

The following post is very scrappy, it details all the checks and measures I went through to solve this niggling problem. Several times I thought I had it fixed only to be proven wrong a day or two later. I have left the post unedited in light of new information to show all the checks and balances I went through. I’m hoping there might be some useful information and things worth checking along the way.

Simon.

Earlier today something strange started happening with all my websites on IIS 8.

I went to the IIS website searching for answers, I even posted my problem as clearly as I could but as yet have not received any help. I had checked everything I could possibly think of myself to see if there was something I could have overlooked but everything seemed to check out just fine. The only problems I was having was with my sites locally hosted, all other sites on the Internet were coming up just fine. So the problem has to be internal to my network. HTTP Redirect was fine (unused). I double checked my DNS and that was fine too. It also wasn’t URLRewrite either. Whilst scouring through IIS 8 Manager I stumbled on ‘Server certificates’ I could see an entry there with no further information (thinking I’d found the problem I deleted it). A little while later there it was again… re-directing to HTTPS all the time.

My final resort was to remove IIS8’s HTTP Redirect all together. Right, try redirecting now!

After re-booting the server I found that I was getting 503 errors. The cause of this was in the server’s Application Pool a number or websites had been stopped for some reason, so under ‘Application Pool Tasks’ in the panel on the far right I just clicked ‘start’.

I think this might have now fixed the problem but will report back in a day or so to confirm.

One day later and oh dear.

…Here we are now a day later and one of my sites was still being redirected to HTTPS instead of HTTP. This is insane considering my web server doesn’t even have the HTTP Redirect Module installed. This now has to be some kind of  internal DNS issue. My Domain controller handles my internal DNS and my Web server handles my external DNS. Seeing that I have had no complaints from from visitors and my average number of daily visitors to my sites hasn’t changed I can reasonably assume that my external DNS is still fine.

Another point I’d quickly like to make is that this didn’t happen all the time, as my original post stated it would be fine for several hours but once it started happening – that was it, it would continually happen.

One thing I failed to check when I did have a look at my internal DNS was the DNS forwarders! Here’s what I found:

phoney-dns-servers2

As you can see the IP addresses in red are immediately under suspicion. The top two are my ISP’s DNS servers, but the 2 IP’s underneath are unknown to me and a Google search didn’t help either. Needless to say I removed them straight away and did another; ipconfig /flushdns on my domain controller. As an added precaution I did a full virus scan using the latest software and database from MalwareBytes – which turned up nothing.

Needless to say I’m happy I found the route cause of the problem (at least I think), but I’m concerned as to how it happened in the first place. I am remaining vigilant and will report back again in a day or two.

Back again…

Well it’s still happening – However I’ve discovered it’s only happening when I access my sites from any Windows computer on my network. Something, somewhere has gone very wonky. If I access my sites using Chrome from my iPad and iPhone they come up absolutely fine both inside and outside my network.

I’m using a rather generic router provided by my ISP with rather limited firewall settings (whether this is the cause or not I can’t say for sure). My laptop has travelled with me and connected to many networks since I first installed Windows 8.1 on it.

Is my network infected with a virus? According to MalwareBytes – no.

I’ll keep digging and report back… again.

The Root of the Problem

OK. I’m now pretty sure this whole redirection from HTTP to HTTPS is the result of an attack on my network. Why? I just tried pinging my domain controller and rather than coming back with a local IP address it came back with:

66.151.181.49

Googling this IP address comes up with all sorts of interesting information.

Virustotal.com has this to say:

Passive DNS Replication.
Latest files that are not detected by any antivirus solution and were downloaded by VirusTotal from the IP address provided.

As you can see from the date of this post and the date of the file downloaded by VirusTotal in a sandbox (12-07-2015 UK date format) This is the date I started having this problem and as stated above the ‘not detected by any antivirus solution’ is just a little concerning. Looking through several pages about this IP address there are many ‘complaints’ but I couldn’t find anything offering a solution.

Encrypting my DNS

Maybe it was an oversight or just pure ignorance on my part, I realised I didn’t have any of my DNS zones encrypted with DNSSEC. I’ve never had a problem with my DNS before… Anyway I decided to encrypt all my zones/domains both internally and externally and both Forward and Reverse lookups, I performed another ipconfig /flushdns on all my Windows systems and just waited to see what happens. Now when I ping my domain controller I’m getting it’s proper local IP address, all my websites are coming up with no ridiculous redirections going on and things currently are looking tickety boo. Have I actually just found the solution? I honestly don’t know but will report back again when I know more.

Another day later…

All the servers on my network have been completely fine, I’ve run MalwareBytes on every Windows machine and all systems have come up clean. When I say all servers on my network have been fine I suspect that is because they are members of a domain. The copy of Windows 8.1 on my laptop however is not able to join a domain and so a lot of the features and security benefits that go with it are not available to me.

It was only a matter of a few hours when my laptop started going wobbly again. For future reference there’s a handy website that is worth visiting it’s

https://www.check-and-secure.com

From this site, after a few checks it prompted me to download HitmanPro v 3.7.9. Scanning my system with this program (which I’ve never used before) I was surprised to see a number of ‘hits’, mostly they were banal tracking cookies, but one find caught my attention:

HitmanPro-Scan

This is some 64 / 32 bit program redirect. Whatever it was according to HitmanPro it shouldn’t be there. I clicked Next and let it do it’s thing. As soon as these rogue entries had been removed (a reboot wasn’t required) everything started behaving properly.

At this stage I’m quite happy as my servers have been completely fine, I’m also fairly confident that my laptop is also now fixed. Yesterday I bought myself a new 2TB 2.5″ HDD and considering Windows 10’s official release day is only a few days away (July 29th 2015). I intend to remove my current hard drive put it into storage and start afresh.

I try never to format a drive if I can help it. You might copy all your files over, but there’s always something that gets forgotten maybe it’s of little consequence but sometimes it can be rather more important.

I think we’re done here, it’s been an education for me and I hope of some help to you. As always if you have any questions or would like to add something to this post please feel free to write something in the comments below.

**No we are not done**

Another oversight on my part was failing to check other browsers such as chrome. (I’m currently using Firefox).

I found here the following: Disabling https, is not an absolute in Firefox. Some sites will redirect and may not offer http.

However to choose one url over the other if it is an option you can disable autofil:
Address Bar Search In order to change your Firefox Configuration please do the following steps :

  1. In the Location bar, type about:config and press Enter. The about:config “This might void your warranty!” warning page may appear.
  2. Click I’ll be careful, I promise! to continue to the about:config page.
  3. In the filter box, type or paste autofill and pause while the list is filtered
  4. Double-click browser.urlbar.autoFill to toggle it from true to false.

Yet another day later.

I come across this post and read the post someone who seems to be having a similar/same problem as me. The recommendation is as follows:

Chosen solution (which still didn’t work for me)

Are there any parts of your site where you use HTTPS? Sometimes an administrative page will send Firefox a header indicating that it must always use HTTPS (“Strict Transport Security”), and that is remembered for the entire domain, even for pages that should not use HTTPS.

If you think this is a possibility, to clear that setting, you can try this:

In the Library dialog (Ctrl+Shift+h), right-click a history entry for your server and choose Forget About This Site. This will clear the permission/restriction settings for the site, as well as history, cookies, and any bookmarks to the site.

Tried this and it’s still not working as I still get this HTTP to HTTPS not only with Firefox but also with other browsers as well.

 

Best wishes

Simon