After Zoom install: macOS forwards various requests to localhost

right on the day since I installed (and uninstalled) Zoom, various URLs began to be forwarded to localhost. Like:

$ traceroute -I googleadservices.com

traceroute to googleadservices.com (127.0.0.1), 64 hops max, 72 byte packets
 1  localhost (127.0.0.1)  0.525 ms  0.061 ms  0.054 ms

Other sites and services are affected, too, so I had to grab the IPs behind the domains and hardcode things in the /etc/hosts to be able to work, it looks like this now:

127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section

#manual quickfixes:
140.82.113.3    github.com
140.82.118.4    gist.github.com
151.101.52.133  gist.githubusercontent.com
104.28.28.240   coronazaehler.de
172.217.2.106  firebasestorage.googleapis.com
104.26.1.95  myairbridge.com

157.240.18.19 cdn.fbsbx.com
# BEGIN section for OpenVPN Client SSL sites
127.94.0.1  client.openvpn.net
127.94.0.2  openvpn-client.vpn.leondrino.com
# END section for OpenVPN Client SSL sites

Using NordVPN doesn't change anything, but with TOR I can access everything. What could be wrong ?


Solution 1:

Unbelievable, after months of digging around cluelessly, I seem to have found it out. Apparently, the IPs

103.86.99.99
103.86.96.96

are part of some malicious part, they appear here:

$ scutil --dns
resolver #1
  search domain[0] : 
  nameserver[0] : 192.168.178.1
  nameserver[1] : fd00::7eff:4dff:fe7e:56fa
  if_index : 5 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : 103.86.99.99
  nameserver[1] : 103.86.96.96
  if_index : 14 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

and this resolver #2 isn't shown in any DNS settings in the system config.

running $sudo scutil, I found these IPs in this entry:

>get State:/Network/Service/39118383-7AC1-4270-AA42-7F97B4505F57/DNS

>d.show


<dictionary> {

  ConfirmedServiceID : 39118383-7AC1-4270-AA42-7F97B4505F57

  ServerAddresses : <array> {
    0 : 103.86.99.99
    1 : 103.86.96.96
  }

The top answer here showed me how to replace this entry with a proper one. After that, I ran:

sudo rm /etc/resolv.conf

sudo ln -s /var/run/resolv.conf /etc/resolv.conf

What kind of crap could that have been ?