Server sending unknown domains to CNET

Help
John Nagle
2012-03-31
2013-05-22
  • John Nagle
    John Nagle
    2012-03-31

    I have a 64-bit x86 Linux server running CentOS 6 and VirtualMin.  It supports one domain.  It does not run "named".  It is configured, via WebMin to send all its DNS requests to the hosting service's DNS.  Here's the /etc/resolv.conf file that Webmin generated:

    cat /etc/resolv.conf
    nameserver 69.64.66.11
    nameserver 69.64.66.10
    

    So far, so good. Now, if I ping a nonexistent domain while logged into the server with ssh (and "noexample.com" really isn't registered), I get diverted to a CNET search site:

     ping noexample.com
    PING phx1-ss-2-lb.cnet.com (64.30.224.112) 56(84) bytes of data.
    64 bytes from phx1-ss-2-lb.cnet.com (64.30.224.112): icmp_seq=1 ttl=246 time=11.8 ms
    64 bytes from phx1-ss-2-lb.cnet.com (64.30.224.112): icmp_seq=2 ttl=246 time=12.0 ms
    

    OK, the upstream DNS server must be doing that, right? Let's ask it.

     host noexample.com
    Host noexample.com not found: 3(NXDOMAIN)
    

    No, it's not being found by DNS lookups.  I've tried "nslookup", too; it's looking at the correct server, and it doesn't find that domain.  It finds real domains OK.

    This even affects my own programs that call "getaddrinfo".

    There's no HOSTALIASES shell variable set ("getaddrinfo" looks at that.)

    /etc/hosts looks like this (censored slightly):

     cat /etc/hosts
    # =============================================================
    # Network Hosts File generated by BareMetal
    # =============================================================
    127.0.0.1       myownhostname.com 69-64-68-000 localhost.localdomain localhost
    ::1 localhost6.localdomain6 localhost6
    

    How are unsuccessful DNS lookups being hijacked?