# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://securelist.com/roaming-mantis-part-iv/90332/
# Reference: https://twitter.com/ninoseki/status/1106842790351106048
# Reference: https://twitter.com/ninoseki/status/1150379897820332032
# Reference: https://twitter.com/ninoseki/status/1127109264877600768
# Reference: https://drive.google.com/file/d/12TaMKqqjkr_r3iq3LbPcGc6LKv2k1Hmw/view
# Reference: https://twitter.com/ninoseki/status/1156038231172894721
# Reference: https://twitter.com/ZeroCERT/status/1118840257334525952
# Reference: https://www.facebook.com/zerocert/posts/1143176292521769 (Korean)

1.53.252.164:53
1.53.252.215:53
1.171.160.155:53
1.171.166.13:53
1.171.175.119:53
1.171.46.86:53
118.30.28.38:53
118.30.28.39:53
118.168.200.231:53
128.14.6.12:53
128.14.6.13:53
171.244.3.110:53
171.244.3.111:53
171.244.33.114:53
171.244.33.116:53
220.136.110.179:53
42.112.35.45:53
42.112.35.46:53
42.112.35.47:53
42.112.35.48:53
42.112.35.49:53
42.112.35.50:53
42.112.35.51:53
42.112.35.52:53
42.112.35.53:53
42.112.35.54:53
42.112.35.55:53

# Reference: https://twitter.com/bad_packets/status/1079251375987425280

66.70.173.48:53

# Reference: https://twitter.com/parseword/status/1093234498228097024

144.217.191.145:53

# Reference: # Reference: https://twitter.com/bad_packets/status/1112087547050520577
# Reference: https://twitter.com/bad_packets/status/1114236807367905280
# Reference: https://www.ixiacom.com/company/blog/paypal-netflix-gmail-and-uber-users-among-targets-new-wave-dns-hijacking-attacks
# Reference: https://securityboulevard.com/2019/04/paypal-netflix-gmail-and-uber-users-among-targets-in-new-wave-of-dns-hijacking-attacks/

195.128.124.131:53
195.128.124.150:53
195.128.124.181:53
195.128.126.165:53
35.228.220.70:53

# Reference: https://blog.talosintelligence.com/2019/04/seaturtle.html
# Reference: https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html

45.32.100.62:53
95.179.150.101:53
ns1.intersecdns.com
ns2.intersecdns.com
ns1.lcjcomputing.com
ns2.lcjcomputing.com
ns1.rootdnservers.com
ns2.rootdnservers.com

# Reference: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html (DNS Hijack Domains)

185.20.187.8:53

# Reference: https://twitter.com/david_jursa/status/1121719132137951232

23.94.149.242:53
172.245.14.114:53
198.46.131.130:53

# Reference: https://twitter.com/david_jursa/status/1131487385034870784
# Reference: https://pastebin.com/s98awS0E

176.123.7.80:53
31.204.153.34:53

# Reference: https://myonlinesecurity.co.uk/it-looks-like-another-dns-compromise-hack-happening/
# Reference: https://www.bleepingcomputer.com/news/security/new-spam-campaign-controlled-by-attackers-via-dns-txt-records/

ns1.firstdnshoster.com
ns2.firstdnshoster.com
188.225.25.33:53
104.193.252.156:53
104.193.252.177:53
185.209.160.70:53
190.2.147.146:53
31.148.219.110:53

# Reference: https://habr.com/ru/company/bizone/blog/456804/ (Russian)

188.165.200.156:53
217.12.210.54:53
91.217.137.37:53

# Reference: https://twitter.com/ninoseki/status/1144557737516232705

118.30.28.38:53
118.30.28.39:53

# Reference: https://twitter.com/MetallicaMVP/status/1148919883255750656
# Reference: https://forums.malwarebytes.com/topic/249242-removal-instructions-for-extenbro/

45.86.180.227:53
77.234.40.79:53
116.203.6.218:53
185.130.104.222:53
185.162.93.213:53

# Reference: https://www.virustotal.com/gui/ip-address/204.93.216.151/relations (# See phishing domains related to this IP in respective trail)
# Reference: https://www.virustotal.com/gui/domain/ns1.whatnexthost.com/details
# Reference: https://www.virustotal.com/gui/domain/ns2.whatnexthost.com/details

ns1.whatnexthost.com
ns2.whatnexthost.com
204.93.216.151:53

# Reference: https://www.scmagazineuk.com/new-mac-malware-mami-hijacks-dns-connections/article/1473476

82.163.142.137:53
82.163.143.135:53

# Reference: https://www.platinbilisim.com.tr/TR/Medya/Duyurular/dikkat-ghost-dns-261 (Turkish)
# Reference: https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
# Reference: https://twitter.com/ninoseki/status/1055224900829491200

139.60.162.188:53
139.60.162.201:53
144.22.104.185:53
173.82.168.104:53
18.223.2.98:53
185.70.186.4:53
185.70.186.7:53
192.99.187.193:53
198.27.121.241:53
200.196.240.104:53
200.196.240.120:53
35.185.9.164:53
80.211.37.41:53

# Reference: https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

217.12.218.114:53
217.12.218.115:53
217.12.218.116:53
217.12.218.117:53
217.12.218.118:53
217.12.218.119:53
217.12.218.120:53
217.12.218.121:53
46.17.102.10:53
46.17.102.11:53
46.17.102.12:53
46.17.102.13:53
46.17.102.14:53
46.17.102.15:53
46.17.102.16:53
46.17.102.17:53
46.17.102.18:53
46.17.102.19:53
46.17.102.20:53
46.17.102.21:53
46.17.102.22:53
46.17.102.23:53
46.17.102.24:53
5.39.220.117:53
5.39.220.118:53
5.39.220.119:53
5.39.220.120:53
5.39.220.121:53
5.39.220.122:53
5.39.220.123:53
5.39.220.124:53
5.39.220.125:53
5.39.220.126:53
93.115.31.194:53
93.115.31.195:53
93.115.31.196:53
93.115.31.197:53
93.115.31.198:53
93.115.31.199:53
93.115.31.200:53
93.115.31.201:53
93.115.31.202:53
93.115.31.203:53
93.115.31.204:53
93.115.31.205:53
93.115.31.206:53
93.115.31.207:53
93.115.31.208:53
93.115.31.209:53
93.115.31.210:53
93.115.31.211:53
93.115.31.212:53
93.115.31.213:53
93.115.31.214:53
93.115.31.215:53
93.115.31.216:53
93.115.31.217:53
93.115.31.218:53
93.115.31.219:53
93.115.31.220:53
93.115.31.221:53
93.115.31.222:53
93.115.31.223:53
93.115.31.224:53
93.115.31.225:53
93.115.31.226:53
93.115.31.227:53
93.115.31.228:53
93.115.31.229:53
93.115.31.230:53
93.115.31.231:53
93.115.31.232:53
93.115.31.233:53
93.115.31.234:53
93.115.31.235:53
93.115.31.236:53
93.115.31.237:53
93.115.31.238:53
93.115.31.239:53
93.115.31.240:53
93.115.31.241:53
93.115.31.242:53
93.115.31.243:53
93.115.31.244:53

# Reference: https://www.heise.de/security/meldung/Grossangriff-auf-Router-DNS-Einstellungen-manipuliert-2132674.html (German)

5.45.75.11:53
5.45.75.36:53

# Reference: https://www.virustotal.com/gui/ip-address/139.59.80.101/relations (# phishing domains are in phishing.txt trail)
# Reference: https://www.virustotal.com/gui/domain/ns1.fakesemoiin23.com/relations
# Reference: https://www.virustotal.com/gui/domain/ns2.fakesemoiin23.com/relations

ns1.fakesemoiin23.com
ns2.fakesemoiin23.com
139.59.80.101:53

# Reference: https://www.virustotal.com/gui/domain/upgrinfo.com/relations

ns1.upgrinfo.com
ns2.upgrinfo.com

# Reference: https://www.virustotal.com/gui/ip-address/162.220.8.212/relations

ns1.sagema.biz
ns2.sagema.biz
162.220.8.212:53

# Reference: https://twitter.com/ANeilan/status/1150246352053575680
# Reference: https://www.virustotal.com/gui/ip-address/167.114.28.162/relations

ns1.i-tunes-ld.com
ns2.i-tunes-ld.com
167.114.28.162:53

# Reference: https://twitter.com/P3pperP0tts/status/1150405598816677888
# Reference: https://twitter.com/P3pperP0tts/status/1150419408197693442

5.132.191.104:53
92.163.33.248:53
206.189.120.248:53
ns1.vic.au.dns.opennic.glue
ns2.vic.au.dns.opennic.glue

# Reference: https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/

192.169.243.50:53
104.238.80.102:53

# Reference: https://www.virustotal.com/gui/ip-address/185.28.193.195/relations (# dns addresses only)

dns1.reserve-dns-test.biz
dns2.reserve-dns-test.biz
dns45.reserve-dns-test.biz
dns46.reserve-dns-test.biz
ns1.bestuserweb.com
ns1.capcdn.com
ns1.celebritiesfotos.com
ns1.cialis-sale.com
ns1.cialisonline-bestrxstore.com
ns1.dedichnrtye.com
ns1.delns.com
ns1.edinaustralia.com
ns1.everesthost.net
ns1.familyhoteshop.com
ns1.generic-cialisrxstore.com
ns1.givebodyweb.com
ns1.handtoolguide.com
ns1.hookupjustforfck.com
ns1.hotcasinosonline.net
ns1.hotcasinosuk.com
ns1.ivemed.com
ns1.kashns.com
ns1.magichotcompany.com
ns1.medsexpress24.com
ns1.memphisrocktour.com
ns1.mostfallweb.com
ns1.newmansurfing.com
ns1.newmedicalsale.com
ns1.nsrehost.com
ns1.office-courier.com
ns1.onlyuserweb.com
ns1.otherintoweb.com
ns1.outmoneyweb.com
ns1.parkingdnsonline.com
ns1.potentialpharmacy.com
ns1.potutenresept.com
ns1.quickneasypay.com
ns1.rewrite-jobs.com
ns1.seo-konzultant.com
ns1.shemazu.com
ns1.sildenafilsverige.com
ns1.skinny-video.com
ns1.startnowtrade.com
ns1.tiyoomedia.com
ns1.trythissale.com
ns1.tube-anal.com
ns1.twitterdemographics.com
ns1.userfallweb.com
ns1.viagra-femenino.com
ns1.viagraonline-4rxonlinestore.com
ns1.vipills.net
ns1.workhotweb.com
ns1.xxxsextub.com
ns10.corposs.com
ns1google.com
ns2.bestuserweb.com
ns2.capcdn.com
ns2.celebritiesfotos.com
ns2.cialis-sale.com
ns2.cialisonline-bestrxstore.com
ns2.delns.com
ns2.edinaustralia.com
ns2.everesthost.net
ns2.familyhoteshop.com
ns2.givebodyweb.com
ns2.homerxdeal.com
ns2.hookupjustforfck.com
ns2.hotcasinosuk.com
ns2.ivemed.com
ns2.magichotcompany.com
ns2.medsexpress24.com
ns2.memphisrocktour.com
ns2.mostfallweb.com
ns2.newmansurfing.com
ns2.newmedicalsale.com
ns2.office-courier.com
ns2.onlyuserweb.com
ns2.otherintoweb.com
ns2.outmoneyweb.com
ns2.parkingdnsonline.com
ns2.potutenresept.com
ns2.rewrite-jobs.com
ns2.seo-konzultant.com
ns2.shemazu.com
ns2.skinny-video.com
ns2.startnowtrade.com
ns2.subreg.net
ns2.tiyoomedia.com
ns2.trythissale.com
ns2.tube-anal.com
ns2.twitterdemographics.com
ns2.userfallweb.com
ns2.viagra-femenino.com
ns2.viagraonline-4rxonlinestore.com
ns2.viagraonline-rxpharmacybest.com
ns2.vipills.net
ns2.workhotweb.com
ns2.xxxsextub.com
ns3.everesthost.net
ns3.freecelebfilms.com
ns3.hotcasinosonline.net
ns3.hotcasinosuk.com
ns3.medsexpress24.com
ns3.pokiesnzonline.com
ns3.potentialpharmacy.com
ns3.seo-konzultant.com
ns3.startnowtrade.com
ns3.trythissale.com
ns4.freecelebfilms.com
ns4.hotcasinosonline.net
ns4.hotcasinosuk.com
ns4.startnowtrade.com
ns4.trythissale.com
ns4.whatsappannunci.com
ns5.whatsappannunci.com
ns9.corposs.com
185.28.193.195:53

# Reference: https://twitter.com/DGAFeedAlerts/status/1151931732725293060
# Reference: https://www.virustotal.com/gui/domain/gatherreceive.net/details
# Reference: https://www.virustotal.com/gui/ip-address/63.251.106.22/relations

ns1.gatherreceive.net
ns2.gatherreceive.net
ns3.gatherreceive.net
ns4.gatherreceive.net
63.251.106.22:53

# Reference: https://www.welivesecurity.com/2016/06/02/crouching-tiger-hidden-dns/

199.203.131.145:53
199.203.131.150:53
199.203.131.151:53
199.203.131.152:53
82.163.142.2:53
82.163.142.3:53
82.163.142.4:53
82.163.142.5:53
82.163.142.6:53
82.163.142.7:53
82.163.142.66:53
82.163.142.67:53
82.163.142.68:53
82.163.142.69:53
82.163.142.70:53
82.163.142.130:53
82.163.142.131:53
82.163.142.132:53
82.163.142.133:53
82.163.142.134:53
82.163.142.135:53
82.163.142.136:53
82.163.142.137:53
82.163.142.138:53
82.163.142.139:53
82.163.142.140:53
82.163.142.141:53
82.163.142.142:53
82.163.142.143:53
82.163.142.144:53
82.163.142.145:53
82.163.142.146:53
82.163.142.147:53
82.163.142.148:53
82.163.142.149:53
82.163.142.150:53
82.163.142.151:53
82.163.142.152:53
82.163.142.153:53
82.163.142.154:53
82.163.142.155:53
82.163.142.156:53
82.163.142.157:53
82.163.142.158:53
82.163.142.159:53
82.163.142.160:53
82.163.142.161:53
82.163.142.162:53
82.163.142.163:53
82.163.142.164:53
82.163.142.165:53
82.163.142.166:53
82.163.142.167:53
82.163.142.168:53
82.163.142.169:53
82.163.142.170:53
82.163.142.171:53
82.163.142.172:53
82.163.142.173:53
82.163.142.174:53
82.163.142.175:53
82.163.142.176:53
82.163.142.177:53
82.163.142.178:53
82.163.142.179:53
82.163.142.180:53
82.163.142.181:53
82.163.142.182:53
82.163.142.183:53
82.163.142.184:53
82.163.142.185:53
82.163.142.186:53
82.163.142.187:53
82.163.142.188:53
82.163.142.189:53
82.163.143.131:53
82.163.143.132:53
82.163.143.133:53
82.163.143.134:53
82.163.143.135:53
82.163.143.136:53
82.163.143.137:53
82.163.143.138:53
82.163.143.139:53
82.163.143.140:53
82.163.143.141:53
82.163.143.142:53
82.163.143.143:53
82.163.143.144:53
82.163.143.145:53
82.163.143.146:53
82.163.143.147:53
82.163.143.148:53
82.163.143.149:53
82.163.143.150:53
82.163.143.151:53
82.163.143.152:53
82.163.143.153:53
82.163.143.154:53
82.163.143.155:53
82.163.143.156:53
82.163.143.157:53
82.163.143.158:53
82.163.143.159:53
82.163.143.160:53
82.163.143.161:53
82.163.143.162:53
82.163.143.163:53
82.163.143.164:53
82.163.143.165:53
82.163.143.166:53
82.163.143.167:53
82.163.143.168:53
82.163.143.169:53
82.163.143.170:53
82.163.143.171:53
82.163.143.172:53
82.163.143.173:53
82.163.143.174:53
82.163.143.175:53
82.163.143.176:53
82.163.143.177:53
82.163.143.178:53
82.163.143.179:53
82.163.143.180:53
82.163.143.181:53
82.163.143.182:53
82.163.143.183:53
82.163.143.184:53
82.163.143.185:53
82.163.143.186:53
82.163.143.187:53
82.163.143.188:53
82.163.143.189:53
82.163.143.190:53
95.211.158.129:53
95.211.158.130:53
95.211.158.131:53
95.211.158.132:53
95.211.158.133:53
95.211.158.134:53
95.211.158.135:53
95.211.158.145:53
95.211.158.146:53
95.211.158.147:53
95.211.158.148:53
95.211.158.149:53
95.211.158.150:53
95.211.158.151:53

# Reference: https://twitter.com/MASERGY/status/816720894424940544
# Reference: https://searchsecurity.techtarget.com/news/450410127/Switcher-Android-Trojan-targets-routers-with-rogue-DNS-servers

101.200.147.153:53
112.33.13.11:53
120.76.249.59:53

# Reference: https://twitter.com/ninoseki/status/1157110166086569985

185.205.210.23:53

# Reference: https://twitter.com/PhishingAi/status/1158769283263946752
# Reference: https://www.virustotal.com/gui/domain/ns1.villeflux.com/relations
# Reference: https://www.virustotal.com/gui/domain/ns2.villeflux.com/details
# Reference: https://www.virustotal.com/gui/domain/dns1.villeflux.com/details
# Reference: https://www.virustotal.com/gui/domain/dns2.villeflux.com/details

111.90.150.148:53
111.90.150.47:53
ns1.villeflux.com
ns2.villeflux.com
dns1.villeflux.com
dns2.villeflux.com

# Reference: https://security.stackexchange.com/questions/181328/did-i-just-get-dns-hijacked
# Reference: https://www.virustotal.com/gui/ip-address/185.183.96.174/details

185.183.96.174:53

# Reference: https://twitter.com/PhishingAi/status/1159309706222956544

192.210.142.146:53
ns1.colloc-rotcross.com
ns2.colloc-rotcross.com

# Reference: https://twitter.com/JAMESWT_MHT/status/852540935653208064

46.105.86.80:53

# Reference: https://twitter.com/ninoseki/status/1161151559100588032

158.69.94.9:53

# Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/37214.txt

133.71.33.7:53

# Reference: https://github.com/reaperb0t/GhostDNS/blob/master/Remote_DNS_Changing_Exploits_not_GHOSTDNS_specific/42197.sh

133.7.133.7:53

# Reference: https://twitter.com/ninoseki/status/1128573489667907586

162.241.224.56:53

# Reference: https://twitter.com/david_jursa/status/1119573958095974400

172.245.211.58:53
23.94.66.186:53

# Reference: https://twitter.com/MichaelMburu_/status/1119243257203048448

172.27.197.232:53

# Reference: https://twitter.com/ninoseki/status/1104181886824243200

65.181.123.142:53
65.181.123.143:53

# Reference: https://twitter.com/ninoseki/status/1073152249969336320

144.217.223.218:53
35.247.250.124:53

# Reference: https://twitter.com/ninoseki/status/1047697757731864576

18.191.81.137:53

# Reference: https://twitter.com/strayanmegaman/status/1001580761684717568
# Reference: https://www.bitdefender.com/box/blog/iot-news/800000-draytek-routers-risk-dns-hijacking-attack-update-firmware/

38.134.121.95:53

# Reference: https://twitter.com/ricmarks/status/966733953406291968

18.219.162.248:53

# Reference: https://twitter.com/leppie/status/661234162758721536

23.91.114.130:53

# Reference: https://twitter.com/abek42/status/642610851095158784

5.152.219.51:53

# Reference: https://twitter.com/teksquisite/status/473233221862182912

184.107.180.178:53

# Reference: https://twitter.com/nikcub/status/347579443994312704

204.11.56.17:53

# Reference: https://twitter.com/moukahal/status/194886840447279104

213.109.79.255:53
64.28.191.255:53
67.210.15.255:53
77.67.83.255:53
85.255.127.255:53
93.188.167.255:53

# Reference: https://twitter.com/bugsbane/status/74691655663497216

188.229.88.7:53

# Reference: https://security.stackexchange.com/questions/104480/investigating-a-possible-rogue-dns-server-maybe-dnschanger

93.158.212.36:53

# Reference: https://blog.scrt.ch/2017/07/10/numerous-swiss-domain-names-temporarily-hijacked/
# Reference: https://www.virustotal.com/gui/domain/ns1.dnshost.ga/relations
# Reference: https://www.virustotal.com/gui/domain/ns2.dnshost.ga/relations

46.183.219.205:53
46.183.219.206:53
46.183.219.227:53
ns1.dnshost.ga
ns2.dnshost.ga

# Reference: https://twitter.com/ninoseki/status/1164163472445173760

38.91.106.137:53

# Reference: https://twitter.com/david_jursa/status/1134355920639660037

80.82.77.166:53

# Reference: https://twitter.com/david_jursa/status/1166314807634604035

23.227.192.58:53

# Reference: https://twitter.com/david_jursa/status/1156517825122570240

23.94.245.170:53

# Reference: https://twitter.com/david_jursa/status/1114134608671649792

23.92.222.100:53
23.92.222.243:53

# Reference: https://twitter.com/david_jursa/status/1106154345878507520

198.12.64.210:53

# Reference: https://www.symantec.com/security_response/writeup.jsp?docid=2007-011811-1222-99&tabid=2
# Reference: https://www.virustotal.com/en/file/46a45be62c49ca51c4ae2e45727c6578e6872c3a9bc7ac7ccb9f83d96464e93a/analysis/

85.255.115.21:53
85.255.112.91:53

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/ (Table 3, all related to dns. and ns. records)

185.15.247.140:53
213.202.217.4:53
217.79.183.50:53
217.79.183.53:53
217.79.183.58:53
217.79.185.65:53
217.79.185.75:53
217.79.185.90:53
74.91.19.113:53
82.102.14.222:53
82.102.14.226:53
82.102.14.227:53
91.132.139.183:53
91.132.139.254:53
