Hello. I visited https://ssl.aukro.ua/fnd/authentication/ (online auction, ukrainian “ebay”) a few hours ago and web browser (all default: without addons, themes etc.) said: ssl.aukro.ua uses an invalid security certificate, the certificate is only valid for search.dnsadvantage.com (and it expired on 19.05.2014).
I checked the Windows DNS-preferences, and there was “156.154.70.22” and “156.154.71.22” (Comodo DNS-servers) here. I know that there was autoDNS from my internet-provider here (one month ago). I am sure that I didnt install adware with CIS installation and upgrades (such as PrivDog etc.) and I unchecked all unnecessary options. I changed DNS-preferences to autoDNS from my internet-provider, reboot and checked my PC with 4 antivirus BootCD (todays). The system was clean. And now the certificate of the https://ssl.aukro.ua/fnd/authentication/ is valid. I created virtual Windows and changed its DNS-servers to “156.154.70.22” and “156.154.71.22”. There was the same invalid security certificate on the https://ssl.aukro.ua/fnd/authentication/ . Then I changed DNS-preferences to autoDNS and the certificate became valid. I also changed the DNS-servers to “208.67.222.222” and “208.67.220.220” (OpenDNS) and the security certificate was valid.
What is it? MITM from ComodoDNS?
[attachment deleted by admin]
Then with 156.154.70.22" and "156.154.71.22 in the DNS-preferences I added the invalid security certificate to trust certificates and page redirected me to “securedns.comodo.com” witn the inscription “Unsafe Website Blocked”. I googled about ComodoDNS, found ( Free Comodo Secure DNS | Best DNS Security Solution 2022 ) 2 another IP: 8.26.56.26 and 8.20.247.20. After that I changed DNS-preferences to these IP, and security certificate was valid without any warnings. Incidentally ownership of these IP: 8.26.56.26 - Peak 10, Inc. ( http://bgp.he.net/ip/8.26.56.26 ) and 8.20.247.20 - Elvate, LLC ( http://bgp.he.net/ip/8.20.247.20 ) and its strange. I googled about "156.154.70.22" and "156.154.71.22": now these IP belong to NeuStar, Inc. ( http://bgp.he.net/ip/156.154.70.22 ) but I dont know that these IP belonged NeuStar, Inc. in the past or not. And “search.dnsadvantage.com” (from invalid certificate) belongs to NeuStar, Inc. too. But there are many mentions about “156.154.70.22” and “156.154.71.22” as ComodoDNS IP in the internet. Perhaps ComodoDNS used these IP in the past but now dont do it, and it try to work in defined bad way (Secure by friendly MitM, yeah). And I dont know how it happened (“156.154.70.22” and “156.154.71.22” in my DNS-prefernces), because as default CIS don`t install its SecureDNS and I was very attentive by the installation and upgrades (and I install exactly CIS 8, not previous versions). Maybe it was a bug, a strange vile bug, though that is no excuse for MitM from SecureDNS.