Advice Request Different connection for same site in different browsers

blackice · Mar 30, 2020

I got a malware blocked message from my router the other day for googlehosted(dot)com. This was not a site I visited and I had not had a site get blocked while browsing. After going back and forth with support, and digging through my web history and looking at connections in uBlock Origin, it appears that virustotal(dot)com loads googlehosted(dot)com. The strange thing is that it only tries to connect to that url when using Firefox, and not Chrome or Edge Chromium. Anybody know why this might be? I tried reinstalling Firefox and clearing all the app data in case I picked up something on the web, but even with a clean install it happens.

ChoiceVoice · Mar 30, 2020

Do you have the virustotal extension for firefox? it might be turned off but still installed so you forgot it was there. (I'm not even sure if that extension still works on the newer firefox ? )

blackice · Mar 30, 2020

ChoiceVoice said:
Do you have the virustotal extension for firefox? it might be turned off but still installed so you forgot it was there. (I'm not even sure if that extension still works on the newer firefox ? )

I never installed an extension for VirusTotal. In fact I did try with a fresh Firefox install without any extensions.

South Park · Mar 30, 2020

Google owns Virus Total, so it may trying to insert some kind of Google advertisement. Because of the Google ownership I usually avoid Virus Total and recommend this excellent site instead: Jotti's malware scan

blackice · Mar 30, 2020

South Park said:
Google owns Virus Total, so it may trying to insert some kind of Google advertisement. Because of the Google ownership I usually avoid Virus Total and recommend this excellent site instead: Jotti's malware scan

What’s weird is no other google owned site I checked used this url.

South Park · Mar 30, 2020

blackice said:
What’s weird is no other google owned site I checked used this url.

That is strange. I just visited VT now with FF 74.0 and uBO, and nothing tried to load from Google other than Google Analytics:

blackice · Mar 30, 2020

South Park said:
That is strange. I just visited VT now with FF 74.0 and uBO, and nothing tried to load from Google other than Google Analytics:
View attachment 235906

This is what I get for google, can't fit them all in one snip:

South Park · Mar 30, 2020

@blackice , the ones in blue represent "CNAME uncloaking" and are usually coming from a CDN. I am mystified by your results. Is your Firefox and uBO version up-to-date? My uBO is 1.25.2

blackice · Mar 30, 2020

Yes they are. I suspect some weirdness with my ISP's DNS. Since it's firefox i tried DoH with Cloudflare and it came up differently. They are no stranger to DNS hijacking and cache poisoning (Comcast). I wonder if Firefox somehow is grabbing the DNS info differently than Chromium based browsers. My router currently cannot use third party DNS properly due to some bug in the firmware. I guess I'll set a specific one for my PC for now. It's a relief to know I was right that it was just some DNS header info getting spit out. I was a bit concerned I had something going rogue on my system.

With ISP:

With Cloudflare:

South Park · Mar 30, 2020

blackice said:
Yes they are. I suspect some weirdness with my ISP's DNS. Since it's firefox i tried DoH with Cloudflare and it came up differently. They are no stranger to DNS hijacking and cache poisoning (Comcast). I wonder if Firefox somehow is grabbing the DNS info differently than Chromium based browsers. My router currently cannot use third party DNS properly due to some bug in the firmware. I guess I'll set a specific one for my PC for now. It's a relief to know I was right that it was just some DNS header info getting spit out. I was a bit concerned I had something going rogue on my system.

With ISP:
View attachment 235908

With Cloudflare:

View attachment 235909

That's fascinating! I currently use Quad9 DOH in FF with no fallback because I don't trust my ISP as far as I can throw it.

blackice · Mar 30, 2020

South Park said:
That's fascinating! I currently use Quad9 DOH in FF with no fallback because I don't trust my ISP as far as I can throw it.

I slapped on cleanbrowsing security filter in FF with DoH, that’s what I was using for my router DNS before they borked the firmware up. I don’t trust my ISP with DNS resolving and this would have been a dealbreaker if it was an issue before I got the router.

ChoiceVoice · Apr 2, 2020

there are a couple of antivirus' out there that background upload to virustotal too, and there might be something in particular with firefox that gets them excited. ex. crystal, voodoshield, etc ??? longshot guess I know, heheh, but if so, you could disable them to see.

blackice · Apr 2, 2020

ChoiceVoice said:
there are a couple of antivirus' out there that background upload to virustotal too, and there might be something in particular with firefox that gets them excited. ex. crystal, voodoshield, etc ??? longshot guess I know, heheh, but if so, you could disable them to see.

It is definitely something my ISP DNS is doing. @South Park was right about the CNAME unmasking.

Search

Advice Request Different connection for same site in different browsers

blackice

Level 39

ChoiceVoice

Level 6

blackice

Level 39

South Park

Level 9

blackice

Level 39

South Park

Level 9

blackice

Level 39

South Park

Level 9

blackice

Level 39

South Park

Level 9

blackice

Level 39

ChoiceVoice

Level 6

blackice

Level 39

Similar threads