Artarmin.com - redirect to random site for some users

Hey @arminelec, sorry for delay. Thought I’d start a dedicated thread for this. I’m thinking aloud here of all the possibilities that come to mind, and what can be eliminated, based on experience from work. Appreciate not all of these will be appropriate for your situation. I hope an expert on here can weigh in too! It is an odd one, but odd ones do happen

The first thing to note is that right now I am not seeing the problem today on my PC, but I did just set up a traffic inspector for decrypting SSL traffic via an intermediate certificate. My mobile still sees the issue on wifi and 4G. It may be that a reboot of my PC may retrigger the issue due to the TLS interference.

1. My understanding of the problem:

A small percentage of users are redirected to another random website. Both sites have correctly configured TLS / SSL certificates that I can see, I ran checks on both. This is not specific to a machine, or a network. Possibly region, will come on to that.

This is either malicious, or a misconfiguration somewhere. I don’t see any obvious evidence of malicious activity, the redirected site seems to be an unused Wordpress blog for a genuine business. However, a redirect on your side to this business would also be strange.

2. Possible causes and things that can be ruled out:

a. DNS resolution can be ruled out for now - you gave me the IP address of your site and I was able to resolve to the same IP via my own ISPs DNS servers, as well as Google’s. The redirect site has a consistently different IP address across all DNS servers as well.

b. TLS certificate issue seems unlikely without a DNS issue as well, and no obvious problems with the certs. I mentioned the traffic inspector issue above, but it’s not proof of a problem there.

On to other candidates:

c. You mentioned you have a dedicated server. Could this be dedicated servers, as far as your host provider is concerned? A very common cause for intermittent site issues is one or more of the origin servers has a mis-configuration. And then DNS resolution will send most clients to the correct site, and a few to the wrong one.

Edit: in this case I am making a rough assumption here, which is that each web server is configured with a private IP address, and sitting in front of them is a load balancer, firewall, or both, with a public IP address. That device will balance request traffic across those servers. Public traffic to the device will either be ‘direct’ (there may be stages of firewalls in reality at a provider), or from a CDN.

You can eliminate this possibility by checking your web config, or configs, and also searching your web server traffic response logs. You can extract all 301s and 302s, plus 304s if appropriate. Also the text string for the redirected domain site to see if that is referenced. Naturally if there are multiple servers, they all need to be checked. If you have sufficient access then it’s possible to create batch file or equivalent that will do this job and output all the results to a text file.

d. Speaking of 304s, do you use a CDN in front of your site, or another form of cache such as Varnish? It is possible to have a misconfiguration, or even a strange cache corruption there. Also are there any patterns to the users? Eg are they in the UK? There could be some incorrect logic either on the CDN side, or potentially on origin, that pushes some users elsewhere. I don’t currently have the traffic inspector CDN headers set up because I’ve done a fresh install, but I will do it later. It’s a bit fiddly on my app though.

e. The last one is a real random hunch guess time. The other possibility is some odd routing misconfiguration at the ISP level, possibly region based. It would be very rare and I can’t see anything on the DNS level to suggest this, but it’s not impossible. Only the ISP tech support would be able to check their DNS and web servers just to eliminate anything there.

Right now that’s everything that springs to mind, and I’m sorry it doesn’t prove anything or give an answer. Perhaps all this is obvious too! I’ll update of course if I have any ‘eureka’ moments

First and foremost, thank you very much @Octofox for spending time on investigating, gathering and writing your thoughts as an expert, on this issue. I appreciate it very much.

Now to the matters you mentioned:

Regarding DNS issues, I checked all your possibilities using MXToolbox (as usual) and going through all available results. As you can see there, I use DigitalOcean droplets to host my servers.

• The main artArmin webserver (where the downloadable files are hosted) is only one server and for that server I have no CDN in use, nor any load-balancers. All configurations, including DNS records are done by myself for all my servers.
• I checked all configurations for the main server as well as my other servers several times, just in case any of them could be misconfigured. In this case even one misconfiguration could potentially cause a problem. Fortunately everything is fine on all the servers.

So, the only thing that remains is the last two points that you mentioned. Unfortunately I do not know which users from which countries and/or using which ISPs are the ones with connection problems. But as you suspected earlier, I would also think there is at least one DNS server that could contain incorrect zone record.

Thanks again for investigating all possibilities. I also am curious how your PC is working fine, yet your phone is not. If it has been a DNS cache issue, it should work on any device behind the same network. Unless of course the device DNS cache is stale. In any case that is if it is related to DNS providers having issues on certain routes to users.

No problem at all, happy to help but sorry I have not been able to provide a definite answer.

Indeed I was thinking that maybe my mobile Chrome is still caching responses so I was planning to completely wipe the history.

However, I have just found something that gives a big clue that it might be an issue with DigitalOcean. When you mentioned you were using the MXTools site that reminded me to check all the various DNS records. That site checks MX (Mail eXchange records) primarily. I thought I would check further on A and CNAME records.

Well, I noticed a significant thing when setting nslookup to only check CNAME records. The other company domain is also hosted by DigitalOcean name servers

While I’m not familiar with their infrastructure, that seems unlikely to be co-incidence! I would absolutely get in touch with their support, provide some of the evidence, and ask them to investigate. There is something on their Name Servers in conjunction with their web platform which is likely to be triggering this.

As an example of the CNAME record lookup:

set type=cname
artarmin.com
Server: UnKnown
Address: fdf6:95e4:e8b8:0:7250:afff:fe71:4af8

artarmin.com
primary name server = ns1.digitalocean.com
responsible mail addr = hostmaster.artarmin.com
serial = 1607382090
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 1800 (30 mins)

crystalbldgsev.com
Server: UnKnown
Address: fdf6:95e4:e8b8:0:7250:afff:fe71:4af8

crystalbldgsev.com
primary name server = ns1.digitalocean.com
responsible mail addr = hostmaster.crystalbldgsev.com
serial = 1605715799
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 1800 (30 mins)

I hope that helps! Let me know how you get on, or if you need any more help

That’s very interesting. I do not have IPv6 enabled/configured. So how did your lookup returned that address value for you?

This is what I get for v6 A records from mxtoolbox

Screenshot 2020-12-10 1600371314×498 26.7 KB

That is the responding DNS server address, which would be my ISP’s DNS server by default. I have also tested responses using 8.8.8.8 which is one of Google’s DNS server groups - good to also test via a public reliable DNS server like that to compare results. Google gives the same results in all cases.

Btw the lookup is just from my home PC using nslookup via command line.

IIRC Windows 10 has IPv6 enabled by default and would need to be manually switched off. I disabled it on my work laptop quite a long time ago as it was unnecessary.

I received a correct A record for your domain, it’s the second part. The forum takes command line characters from the first part and converts that to a quote format, sorry :

set type=A
artarmin.com
Server: UnKnown
Address: fdf6:95e4:e8b8:0:7250:afff:fe71:4af8

Non-authoritative answer:
Name: artarmin.com
Address: 142.93.235.65

I also set the DNS server on the lookup to be DigitalOcean’s primary DNS server, but the results are still the same. It is in fact not authoritative, so presumably you have registered the domain with another ISP originally and the authoritative DNS server is with them.

Setting the DNS server:

server ns1.digitalocean.com
Default Server: ns1.digitalocean.com
Addresses: 2400:cb00:2049:1::adf5:3a33
173.245.58.51

Doing the lookups with that server:

artarmin.com
Server: ns1.digitalocean.com
Addresses: 2400:cb00:2049:1::adf5:3a33
173.245.58.51

Non-authoritative answer:
Name: artarmin.com
Address: 142.93.235.65

crystalbldgsev.com
Server: ns1.digitalocean.com
Addresses: 2400:cb00:2049:1::adf5:3a33
173.245.58.51

Non-authoritative answer:
Name: crystalbldgsev.com
Address: 128.199.59.77

I’m thinking that we might not find anything obvious in the DNS records, at least so far they all seem OK. But the fact that both domains, and probably both sites, are managed by DigitalOcean suggests an incorrect relationship between the two, somewhere

@arminelec, @SweViver i was one of those guys how couldnt download PE etc from Artarmin Download link.
Just want to let you guys know that i can download from Artarmin DL now.
I was downloading PE 84…
I dont get redirected to Crystal anymore.

But i didnt change anything on my end!
I can even call Artarmin.com without getting redirected to Crystal.

@arminelec did you change something on your servers?

Happy to hear you can access the site and download the files.

No. We suspect it is likely that something went wrong on one or more DNS providers, due to a misconfiguration or an update failure. @Octofox and I have extensively checked anything we could. As you can see above, we only speculated on what could have gone wrong. In any case, the problems should go away one server at a time and users all over the world should be able to access the correct website again.

Allright, looks like the problem is solved and can be closed i guess.

Why am I here?

Humans have gazed up at the stars and asked themselves that very question for millennia

I’m glad this topic inspired the same sense of wonder in you