I run a bind instance at home, mainly just to tinker and do some rudimentary DNS filtering on my kids’ devices.
Recently, I’ve been getting Chrome “Certificate Revoked” errors every time I click on an ad. I checked the cert, and it’s a Startcom cert, which most browsers have started rejecting due to some shenanigans in the way the company was issuing certs.
So the name on the cert is “pacy01.pacyworld.com”. Pacyworld looks like a small web host in Florida. The domain Google uses to redirect its ads is www.googleadservices.com. This is a CNAME for pagead.l.doubleclick.net.
My bind instance is set with Google’s public DNS servers as forwarders (22.214.171.124 and 126.96.36.199).
My bind cache has this domain name (pagead.l.doubleclick.net) resolving to 188.8.131.52 corresponding to pacy01.pacyworld.com. The TTL is also 1 day, as opposed to short TTLs on most of Google’s records (like 300s). If I dig at Google’s public DNS servers, I get consistently different results (always Google IPs)
So, I clear my bind cache and everything is OK for a while. But due to the short TTLs on the “correct” responses, eventually, that rogue entry winds up in the cache again and stays there for 24h, leading to cert errors every time someone clicks an ad.
Is it possible Google has misconfigured their DNS for this domain, or is something happening in my network which is leading to this incorrect entry continuing to reappear in my bind cache.
I don’t really understand the mechanics of cache poisoning, but could I have something in my network that would poison the cache of an internal resolver? My understanding of cache poisoning is that it affects public resolvers, but like I said, my understanding is pretty limited.
submitted by /u/bellwoodian
Powered by WPeMatico