Global Cyber Security Alert for Judicial Systems and Law Enforcement Agencies Worldwide

Analysis of the devanholo.com Domain

Question: Where is the devanholo.com domain located, and where is its database hosted?

Domain Connection to Server

The domain is connected via a shared server IP for Alibaba Cloud with the IP address: 47.91.170.222.

DNS Servers

The domain devanholo.com uses the following DNS servers:

• jm1.dns.com
  • IP Address: 218.98.111.214
  • Organization Name: Jinan Jingdi Zhiban
  • Address: Jinan, Shandong Province, China
  • IP Range: 218.98.111.0 - 218.98.111.255
• jm2.dns.com
  • IP Addresses: 183.253.57.200, 211.99.99.50
  • Domain Name: jm2.dns.com
  • Organization Name: China Mobile Communications Corporation
  • Address: Beijing, China
  • IP Ranges: 183.192.0.0 - 183.255.255.255, 211.99.99.0 - 211.99.99.255
• IP Address 211.99.99.50
  • Organization Name: Shandong Stock Exchange
  • Address: Jinan, Shandong Province, China
  • Admin Contact: Kele Cao
  • Email: caokele@beelink.com
  • Phone: +86-0531-83192780
  • Fax: +86-0531-86097472
  • Abuse Contact: zhengkj@wy.cn
  • IP Range: 211.99.99.0 - 211.99.99.255
  • Network Status: Assigned Non-Portable
  • Last Modified: 2008-09-04

Domain Database

Question: Where is the database of the devanholo.com domain hosted?

Since the domain is connected to a shared server and IP information is distributed across multiple servers, the database is likely hosted within cloud infrastructure, such as Alibaba Cloud servers. This database could be distributed across multiple geographically diverse servers and synchronized in real-time.

Based on the provided information, the domain devanholo.com is hosted on a shared server in Alibaba Cloud with the IP address 47.91.170.222. Additionally, its DNS servers are jm1.dns.com and jm2.dns.com, which are located in China.

Possible Database Location

The storage location of a website’s database depends on the following factors:

1. Hosting Type (Shared or Dedicated)

Since this domain is hosted on a shared server in Alibaba Cloud, the database could be stored locally on the same server or on a cloud database service such as ApsaraDB (Alibaba Cloud’s database service).

2. Main Server IP Address (47.91.170.222)

The database service might be running on the same server, in which case its address would be localhost or 47.91.170.222.

If a cloud database service is used, there would be a separate domain for the database server (e.g., rds.aliyuncs.com).

3. DNS Configuration Analysis

The DNS servers are located in China, but this does not indicate the actual location of the database. DNS only resolves domain names to IP addresses and is not directly related to database hosting.

4. Platform Type (CMS or Custom)

If this website uses WordPress, Magento, or another CMS, the database is likely stored in MySQL/MariaDB on Alibaba Cloud.

If the website is custom-built, it may use MongoDB, PostgreSQL, or Redis as its database.

How to Determine the Database Location

To accurately identify the database location, the following methods can be used:

• Check the config.php or .env file (CMS platforms usually store database information in these files).
• Run nslookup or dig commands on the domain to find associated servers.
• Use tools like nmap and shodan.io to scan for active services on the server's IP address.

Conclusion

The database for this domain is likely hosted on the same server as the website (47.91.170.222) or utilizes Alibaba Cloud services such as ApsaraDB.

DNS Architecture Analysis and Implementation Scenario

You have identified 300 different domains under the .COM TLD, all pointing to the same website and using two fixed name servers (NS):

• jm1.dns.com
• jm2.dns.com

However, an important point to note is that these domains are distributed across different IP ranges and various geographical locations such as China, Hong Kong, South Africa, North America, Indonesia, Malaysia, and Singapore.

1. The Primary Role of the Two Fixed DNS Servers (jm1.dns.com & jm2.dns.com)

These two DNS servers function as the Primary and Secondary DNS for all 300 domains, meaning:

• They handle all domain queries.
• Instead of having separate NS records for each domain, all domains are centralized on these two DNS servers.
• They return an appropriate IP from a specific data center based on the requester's geographic location (GeoDNS or Anycast DNS).

2. Implementation Scenario: Using Anycast or GeoDNS

What is Anycast DNS?

In this method, a DNS address (e.g., jm1.dns.com) is hosted in multiple locations worldwide. When a user requests a domain, the DNS returns the nearest server. This reduces latency and increases website loading speed.

What is GeoDNS?

With GeoDNS, the DNS returns a different IP based on the user's geographic location. For example:

• If a user connects from South Africa, the DNS returns an IP from a South African server.
• If a user connects from China, the DNS returns an IP from a server in Hong Kong or China.

3. Assigning Different IPs to Domains

Domains are routed to different IPs across the world, including China, Hong Kong, South Africa, the USA, Seychelles, Indonesia, Malaysia, and Singapore. This suggests that the website’s servers are distributed across multiple data centers, utilizing global load balancing.

Methods for Implementing This Scenario

• Method 1: Configuring A Records in DNS with different IPs for different locations.
• Method 2: Using Anycast IP on a CDN or Load Balancer.
• Method 3: Using a Reverse Proxy or Edge Servers.

4. What is the Purpose of This Scenario?

A) Improving Website Performance and Speed

• Users receive responses from the closest server, optimizing loading speed.
• Reduced latency and improved user experience.

B) Increasing Stability and Security (DDoS Protection)

• If a data center fails, the DNS directs users to an alternative server.
• Mitigating DDoS attacks by distributing the load across multiple servers.

C) Bypassing Internet Censorship in Certain Countries

• This method is often used by websites that are blocked in certain regions.
• Having multiple servers with different IPs makes it harder to completely block access.

D) Special Use Cases (e.g., Botnets or Large-Scale Advertising)

• Some use this technique for gray-hat projects like click fraud, phishing, or botnet control (C2).
• Domains and servers frequently change to avoid detection.

5. Conclusion

This scenario represents a globally distributed network of DNS and web servers, likely leveraging Anycast DNS and GeoDNS to route traffic based on user location.

This technique is commonly used by major companies (such as Alibaba, Cloudflare, Google, and Amazon AWS) to enhance speed and stability.

Additionally, some websites use this approach to bypass censorship or manage botnets.

Recommended Tools for Further Analysis:

• Nslookup / Dig / WHOIS → To check DNS records
• Traceroute / MTR → To examine request routing
• Shodan.io → To analyze active services on IPs
• Passive DNS Analysis → To observe domain-to-IP relationships

Question:

Does this website have specific content that requires such an infrastructure?

Analysis of DNS Structure and Possible Objectives

Based on the provided information, the two name servers (jm1.dns.com and jm2.dns.com) have three different IP addresses located in China and belong to various Chinese organizations:

This indicates that the DNS structure is entirely managed in China and possibly falls under one of the following scenarios:

1. DNS Under the Control of a Specific Entity in China

These name servers are associated with different Chinese organizations, including:

• Jinan Jingdi Zhiban (Shandong Province)
• China Mobile Communications Corporation (Beijing)
• Shandong Stock Exchange (Shandong Stock Market)

The fact that both DNS servers are located in China and managed by different companies suggests centralized control over this system.

Possible Scenario:

• ✅ Centralized Domain Control: All 300 domains you mentioned receive responses from these DNS servers, indicating possible management by a central authority.
• ✅ Internet Traffic Monitoring: The location of these DNS servers in China could suggest governmental oversight of user access and traffic.
• ✅ Redirection and Monitoring Capability: Since these DNS servers are managed in China, there is a possibility of traffic manipulation or redirection to government-specified IP addresses.

2. Load Balancing and Anycast DNS

Since these DNS servers exist within multiple IP ranges in China, they may be using Anycast DNS or GeoDNS to direct users to the nearest server.

How Anycast Works in This System:

1. A user requests a domain.
2. The DNS server returns the closest IP address.
3. The user is directed to one of multiple servers in different locations (e.g., Hong Kong, Africa, the US).

Advantages and Concerns:

• ✅ Goal: Reduce latency, improve speed, and distribute the load across multiple servers.
• ✅ Concern: All DNS servers are controlled within China, raising potential concerns about filtering, redirection, or user data collection.

3. Possible Objectives of This Architecture

A) Strengthening a Chinese CDN

If these domains are linked to a private Chinese CDN (such as Tencent Cloud, Alibaba Cloud, or ChinaNet), the goal might be to accelerate access to international content for Chinese users.

B) Gray Hat Applications (Advertising or Cyber Attacks)

• ✅ The structure may be designed for large-scale click advertising or directing users to specific pages.
• ✅ If domains are redirected, phishing or malware hosting could also be possible.

C) Bypassing Internet Filtering

• ✅ This method is commonly used to mask the original server’s identity and bypass internet filtering systems.
• ✅ For example, users from restricted countries might be directed to unblocked IP addresses.

4. Is This Architecture Linked to a Specific Organization?

Based on IP addresses and organizational ownership, these DNS servers are located in China and managed by both state-owned and private Chinese companies.

Key Questions:

• Do the websites using these DNS servers provide specific content (e.g., political, economic, or special services)?
• Are these DNS servers listed in security threat reports or cybersecurity watchlists?
• Do the IP and domain patterns indicate a cyber attack or covert operation?

For Further Investigation, Consider:

• ✅ Using Passive DNS Analysis (to check domain history changes)
• ✅ Analyzing network traffic with Wireshark or Zeek (to inspect how these DNS servers handle requests)
• ✅ Checking these IPs on services like VirusTotal, Shodan, and AbuseIPDB (to find any abuse reports)

5. Final Conclusion

This architecture is most likely a distributed network managing domains under the control of a Chinese entity, potentially used for CDN, advertising, traffic control, or other activities.

For a more precise analysis, specific domains and DNS behavior could be further examined.

→ Do you have additional information about the domains connected to these DNS servers?

Analysis of Load Balancing Architecture and Distributed Database

Yes, that is correct. This architecture is typically implemented in two ways:

1. Load Balancing with DNS

In this method, each domain points to a set of IPs in different geographic regions, but all servers are connected to a centralized or synchronized database.

Mechanism:

• DNS directs requests to the nearest or fastest server.
• Each server maintains a synchronized copy of data (via Replication or Clustering).
• All servers connect to a central database or stay synchronized.

Use Cases:

• CDNs (such as Cloudflare, Akamai, Alibaba Cloud)
• Cloud services (AWS, Azure, Google Cloud)
• Distributed infrastructure to prevent downtime

2. Using a Distributed Database

In this approach, databases are distributed across multiple geographic locations and synchronize data in real time.

Mechanism:

• Each region (e.g., Hong Kong, South Africa, the US) maintains a local copy of the database.
• Changes are shared instantly (Real-time Replication) between databases.
• If a server goes down, requests are routed to the nearest available database.

Use Cases:

• Google Cloud Spanner (Google's distributed database)
• Amazon Aurora Global Database (Amazon's global database)
• Microsoft Cosmos DB (Microsoft's distributed database)

Conclusion

Each geographic region has its own IP, but all server data remains synchronized in real time. This model ensures users connect to the fastest and nearest server while still accessing a unified database.

Question: Do you need a deeper investigation into the database structure of these domains?

Analysis of the Distributed Network Structure of These Domains

Based on the provided information, this network utilizes a distributed infrastructure that includes:

• A shared DNS system for all domains
• Different IP addresses across various geographical regions
• Database synchronization between servers

Analysis of the Fixed DNS Role in This Network

✅ The shared DNS servers (jm1.dns.com and jm2.dns.com) play a crucial role:

• All domains use the same two fixed DNS servers.
• However, the DNS responses for each domain point to different IP addresses in various geographical locations.

This model is typically implemented using GeoDNS or Anycast DNS techniques.

✅ The main goals of this architecture:

• Directing users to the nearest server geographically
• Improving performance and reducing latency
• Enhancing scalability and fault tolerance

How Database Synchronization Works in This Network

• Multiple servers across different regions (e.g., Hong Kong, Africa, USA) host the data.
• The database is distributed across these servers and synchronized in real-time.
• If a server goes offline, requests are redirected to other servers.

✅ Common synchronization methods:

• Master-Slave Replication (a central database with multiple copies)
• Multi-Master Replication (all databases store and process data simultaneously)
• Partitioning & Sharding (splitting data across different servers)

Summary and Conclusion

• ✔ All domains use two shared DNS servers but have different IPs in various countries.
• ✔ Databases are synchronized and deployed across multiple regions.
• ✔ User traffic is directed to geographically closer servers.
• ✔ Techniques like GeoDNS, Anycast, or DNS-level Load Balancing are used.

✅ Question: Would you like me to explain the methods for detecting and analyzing this structure?