ns41.rookdns.com showing up under Shared

Question

Level 1

5 points

ns41.rookdns.com showing up under Shared

Hi, after having some performance problems with my iMac, I noticed that in Finder under Shared All..., this shows up: ns41.rookdns.com. I did not attach to this URL, it just apparently showed up. Furthermore, it shows up on all the Macs on my home network (another iMac and a MBP). Naturally, I don't want to share anything with whoever this is. Maybe this is no big deal and I missed the memo....

It appears that this site is associated with RookMedia; is this a supercookie or something? I would like to eject this but can't find a way to do that.

A ClamXAV scan showed no issues. I have a Cisco router/Firewall, and the OS X Firewall is active on all my Macs. My MBP is Yosemite, iMacs are Mavericks and all are up to date with security patches.

Questions are: 1) is this something to be concerned about? 2) Can I eject this share? If so, how?

TIA.

tj

Posted on Apr 1, 2015 7:07 PM

Reply

Answer 1

MadMacs0

Level 5

5,221 points

Apr 1, 2015 9:40 PM in response to tjhach

ns generally stands for "name server" and there are often multiple servers associated with a given DNS which "rookdns" would seem to confirm. The IP address for that server is 141.8.224.183 which appears to be in Switzerland. That matches up with GoDaddy's registration information for RookMedia:

Domain Name: ROOKDNS.COM

Registry Domain ID: 1633684184_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.godaddy.com

Registrar URL: http://www.godaddy.com

Update Date: 2015-01-05T11:44:03Z

Creation Date: 2011-01-06T10:55:05Z

Registrar Registration Expiration Date: 2020-01-06T10:55:05Z

Registrar: GoDaddy.com, LLC

Registrar IANA ID: 146

Registrar Abuse Contact Email: abuse@godaddy.com

Registrar Abuse Contact Phone: +1.480-624-2505

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited

Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited

Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID:

Registrant Name: Rook Media GmbH

Registrant Organization:

Registrant Street: Boehnirainstr. 13

Registrant City: Thalwil

Registrant State/Province:

Registrant Postal Code: 8800

Registrant Country: Switzerland

Registrant Phone: +41.774207249

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: admin@rookmedia.net

Registry Admin ID:

Admin Name: Rook Media GmbH

Admin Organization:

Admin Street: Boehnirainstr. 13

Admin City: Thalwil

Admin State/Province:

Admin Postal Code: 8800

Admin Country: Switzerland

Admin Phone: +41.774207249

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: admin@rookmedia.net

Registry Tech ID:

Tech Name: Rook Media GmbH

Tech Organization:

Tech Street: Boehnirainstr. 13

Tech City: Thalwil

Tech State/Province:

Tech Postal Code: 8800

Tech Country: Switzerland

Tech Phone: +41.774207249

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: admin@rookmedia.net

Name Server: NS1-106.AKAM.NET

Name Server: NS1-109.AKAM.NET

Name Server: USC4.AKAM.NET

Name Server: USC5.AKAM.NET

DNSSEC: unsigned

So that all looks legitimate, but I have no idea why it would appear in Shared. What DNS shows up in your Cisco? If it's not what you or your ISP want to be there then perhaps the Cisco was hacked.

Reply

Answer 2

Jun 7, 2015 7:17 PM in response to tjhach

Having the same issue... After doing a bit of digging and some packet captures, mine was the domain-name option being set to home.com in the --"ip dhcp pool XXXX"--- "domain-name home.com.

This caused the machine to see and add the rookdns servers to the "shared" section in finder. I removed it and it... poof.. Gone like the wind...

Reply

Answer 3

MadMacs0

Level 5

5,221 points

Jun 7, 2015 8:43 PM in response to family_thomas

Where did home.com appear? Was it listed in System Preferences->Network->Advanced... button->DNS tab->Search Domains or your router or somewhere else?

Do you recognize home.com as being associated with your ISP or an alternate DNS that you have chosen?

Here's the whois on that domain:

Domain Name: HOME.COM

Registry Domain ID: 1668509_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.tucows.com

Registrar URL: http://tucowsdomains.com

Updated Date: 2015-03-06T20:20:21Z

Creation Date: 1993-12-16T05:00:00Z

Registrar Registration Expiration Date: 2015-12-15T05:00:00Z

Registrar: TUCOWS, INC.

Registrar IANA ID: 69

Registrar Abuse Contact Email: Email Masking Image@tucows.com

Registrar Abuse Contact Phone: +1.4165350123

Domain Status: clientTransferProhibited

Domain Status: clientUpdateProhibited

Registry Registrant ID:

Registrant Name: domain administration

Registrant Organization: Anything.com, Ltd.

Registrant Street: Clifton House 75 Fort St PO Box 1350

Registrant City: George Town

Registrant State/Province: Grand Cayman

Registrant Postal Code: KY1-1108

Registrant Country: KY

Registrant Phone: +1.3457497687

Registrant Phone Ext:

Registrant Fax: +1.3457497687

Registrant Fax Ext:

Registrant Email: Email Masking Image@anythingwhois.com

Registry Admin ID:

Admin Name: domain administration

Admin Organization: Anything.com, Ltd.

Admin Street: Clifton House 75 Fort St PO Box 1350

Admin City: George Town

Admin State/Province: Grand Cayman

Admin Postal Code: KY1-1108

Admin Country: KY

Admin Phone: +1.3457497687

Admin Phone Ext:

Admin Fax: +1.3457497687

Admin Fax Ext:

Admin Email: Email Masking Image@anythingwhois.com

Registry Tech ID:

Tech Name: domain administration

Tech Organization: Anything.com, Ltd.

Tech Street: Clifton House 75 Fort St PO Box 1350

Tech City: George Town

Tech State/Province: Grand Cayman

Tech Postal Code: KY1-1108

Tech Country: KY

Tech Phone: +1.3457497687

Tech Phone Ext:

Tech Fax: +1.3457497687

Tech Fax Ext:

Tech Email: Email Masking Image@anythingwhois.com

Name Server: NS41.ROOKDNS.COM

Name Server: NS42.ROOKDNS.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

>>> Last update of WHOIS database: 2015-03-06T20:20:21Z <<<

Reply

Answer 4

Jun 8, 2015 8:17 AM in response to MadMacs0

Sorry, Should of added that this is part of the cisco router configuration not in OS-X

Reply

Answer 5

MadMacs0

Level 5

5,221 points

Jun 8, 2015 9:34 AM in response to family_thomas

Then I would have to guess your router was hacked. See How to manage a hacked wireless router. Make sure the firmware is up-to-date and that configuration from the WAN side (Internet) is disabled.

Reply

Answer 6

Jun 8, 2015 9:28 PM in response to MadMacs0

Please read the entire post, it is clear to me, that this was a probably a typo on the router configuration.

Reply

Answer 7

MadMacs0

Level 5

5,221 points

Jun 9, 2015 2:27 AM in response to ilcapocuico

ilcapocuico wrote:

Please read the entire post, it is clear to me, that this was a probably a typo on the router configuration.

Believe me I have been reading every word in this discussion starting two hours after it was first posted and nothing tells me it was a typo.

Hundreds of thousands or routers are currently hacked to act as botnets including some from Cisco, so that will always be a possibility as far as I'm concerned.

Researchers uncover “self-sustaining” botnets of poorly secured routers.

Reply

Answer 8

Sep 26, 2015 5:51 AM in response to tjhach

I had the same issue with ns41.rookdns showing up in finder under shared. The most likely cause (and in my case it was exactly this) is due to your routers domain being set to "home.com". This will push the search domain "home.com" to your Mac. If you look at home.com, its DNS servers are provided by Rookdns and in this case specifically ns41.rookdns.com.

Reply