Re: prisoner.iana.org

From: kent@songbird.com
Date: 09/10/02


Date: Mon, 9 Sep 2002 19:31:58 -0700
From: kent@songbird.com
To: incidents@securityfocus.com

On Mon, Sep 09, 2002 at 03:59:16PM -0500, Carey, Steve T ISD wrote:
> It is a Microsoft default for a misconfigured desktop on DHCP. The DNS server
> information was placed in manually and there the DNS Server is a 'bogus' host.
> When the DHCP server tries to resolve the DNS Server, it will use
> prisoner.iana.org instead.
>
> Steve Carey

There's more to the story -- forgive the length of the following
message...

"prisoner.iana.org" is one of the rfc1918 "blackhole" servers -- you
will also sometimes see entries for "blackhole-1.iana.org" and
"blackhole-2.iana.org". They are there because sometimes rfc1918
addresses leak onto the open internet, and clients that get packets from
these bogus addresses sometimes do inverse dns lookups on them.
prisoner and its buddies are supposed to answer with authoritative
"nxdomain" replies -- this, in theory, reduces load on the root servers
(the first query for a nonexistent domain will go to the root servers
unless there is a known(cached) lower level domain server that can
answer the query). The IANA is preparing a FAQ on this topic -- one of
these days it should be posted on the IANA web site. I prepared a faq
specific to this question, which I have appended below.

> Hi -
>
> I've started noticing an entry in the event log on one
> of my Windows XP workstations. I've tried finding
> information regarding this on google (have seen others
> with the problem, but no answers) & have also
> contacted iana (but have yet to hear anything from
> them).

The IANA gets a number of queries on this subject.

> The box is trying to make DNS requests to
> 'prisoner.iana.org'. This is what I see in the event
> log:
>
> =========================
> Source: LSASRV
> Category: SPNEGO (Negotiator)
>
> The Security System could not establish a secured
> connection with the server DNS/prisoner.iana.org. No
> authentication protocol was available.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> =========================
>
> Ipconfig on the box looks like this:
>
> Windows IP Configuration

[...]

> IP Address. . . . . . . . . . . . :
> 192.168.0.204
> Subnet Mask . . . . . . . . . . . :
> 255.255.255.0
> Default Gateway . . . . . . . . . :
> 192.168.0.1
> DHCP Server . . . . . . . . . . . :
> 192.168.0.3
> DNS Servers . . . . . . . . . . . :
> 192.168.0.3
> Lease Obtained. . . . . . . . . . : Sunday,
> September 08, 2002 10:01:05
> AM
> Lease Expires . . . . . . . . . . : Sunday,
> September 08, 2002 1:01:05 P
> M
>
> So far as I know, the LsaSrv process that is
> generating the error is tied to the protected storage
> service. This is the service that stores personal
> passwords, etc on the windows machine. Why would this
> need to query an outside dns server??

Because it's doing an inverse query, trying to find out what dns name
goes with the address 192.168.0.204, and your dns servers are not
providing an answer.

> Just curious if anyone knows what this is - trojan?
> spyware? simple microsoft bloat?

Almost certainly, it's a misconfiguration of your network.

> I've blackholed
> prisoner.iana.org (via lmhosts) on the local machine &
> have also blocked it on my firewall until I can figure
> out what this is.

Here's an old faq I wrote. Not real great, and somewhat out of date,
but hopefully it will help...

Q1: What are the blackhole servers?

A1: The "blackhole" Servers, "blackhole-1.ian.org",
"blackhole-2.iana.org", and sometimes "prisoner.iana.org" are an obscure
part of the Internet infrastructure. People are sometimes puzzled or
alarmed to find unexplained references to them in log files or other
places. This FAQ tries to explain what these servers do, and why you
may be seeing them.

Specifically, these servers are part of the Domain Name System (DNS),
and respond to inverse queries to addresses in the the reserved RFC 1918
address ranges:

     10.0.0.0 - 10.255.255.255 (10/8 prefix)
     172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
     192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

(see ftp://ftp.isi.edu/in-notes/rfc1918.txt)

These addresses are reserved for use on private intranets, and should
never appear on the public internet. The 192.168.0.0 addresses are
especially common, being frequently used in small office or home
networking products like routers, gateways, or firewalls.

Q2: What are "inverse queries?

A2: With normal ("forward") queries the domain name system responds with
an address (eg, "192.0.34.69") when given a name are (eg,
"www.iana.org"). Inverse ("reverse") queries do the reverse -- the
domain name system returns the name ("www.iana.org") when given the
address ("192.0.34.69"). While inverse queries are rare from a human
perspective, some network services automatically do an inverse lookup
whenever they process a request from a particular IP address, and
consequently they form a significant part of DNS network traffic.

Q3: Why do we need the blackhole servers?

A3: Strictly speaking, we don't need the blackhole servers. However,
DNS clients will sometimes remember the results from previous queries
(that is, "good" answers to queries are cached), and the blackhole
servers are configured to return answers that DNS clients can cache.
This allows the clients to rely on their cached answers, instead of
sending another query, which in turn reduces the overall amount of
traffic on the Internet.

Since the RFC 1918 addresses should never be used on the public
Internet, there should be no names in the public DNS that refer to them.
Hence, an inverse lookup on one of these addresses should never work.
The IANA blackhole servers respond to these inverse queries, and always
return an answer that says, authoritatively, that "this address does not
exist". Because of the caching noted above, this is far better than
simply not responding at all, so the IANA provides the blackhole servers
as a public service.

Q4: How busy are the blackhole servers?

A4: While rates vary, the blackhole servers generally answer thousands
of queries per second.

In the past couple of years the number of queries to the blackhole
servers has increased dramatically. It is believed that the large
majority of those queries occur because of "leakage" from intranets that
are using the RFC 1918 private addresses. This can happen if the
private intranet is internally using services that automatically do
reverse queries, and the local DNS resolver needs to go outside the
intranet to resolve these names.

For well-configured intranets, this shouldn't happen. Users of private
address space should have their local DNS configured to provide
responses to inverse lookups in the private address space.

Q5: But it looks like the blackhole servers are attacking my
network/host. Could it be that a hacker has taken over the servers, and
is attacking other systems?

A5: No system is totally safe from hackers, and the blackhole servers
are no exception. However, because of their special function, there are
a number of reasons why they may appear in your logs or elsewhere that
have nothing to do with hacking. DNS configuration, especially in an
environment where the RFC 1918 addresses are being used, can be tricky.
Firewall configurations can make things even more complicated. If, for
example, your system is configured to allow all outgoing packets, but
block most incoming packets, then it may be that your DNS client is in
fact doing inverse queries to the blackhole servers, but blocking (and
logging) the returning answers.

It is also true that other activities of hackers can make the blackhole
servers show up in your logs. It is possible to construct network
packets with forged source addresses that are in the RFC 1918 ranges. A
hacker, for example, could construct a packet that appeared to come from
192.168.35.35. Sometimes there are large scale denial of service
attacks that use a flood of such "spoofed" packets. The result might be
a large number of queries coming to the blackhole servers, which may
themselves be overloaded with query traffic. Under conditions of heavy
load, the servers may drop packets, and not respond correctly to some
queries. This may cause odd messages to appear in the error logs of
either the attacking or the attacked host. (In large scale "distributed
denial of service" attacks, many systems are taken over by hackers, and
these systems are used to attack some victim. The owners of the
attacking systems may not even be aware that they have been taken over
by a hacker.)

Q6: OK, maybe you aren't attacking me. What can I do about the
messages in my logs?

A6: The best way solve this problem is to set up DNS on your local
network. Unfortunately, this can be complicated, and may not in
practice be possible. If you are using operating systems from
Microsoft, you might want to look at
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259922>.
(Please note that the blackhole servers used to be located at isi.edu).

Q7: Is there anything more than just logs at issue?

A7: Possibly. But you should make every effort to fix the problem from
your end, because episodes of overload to the blackhole servers are becoming
more common, and that can have more serious consequences. See, for example,
<http://www.shmoo.com/mail/fw1/apr99/msg00946.html>.

[Thanks to Ed Bennet for input on the above two questions.]

-- 
Kent Crispin, Technical Systems Manager, ICANN

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Help SMPT Errors
    ... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ...
    (microsoft.public.exchange.admin)
  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... on 2 servers out of 4 DNS servers. ... DNS and 2003 DNS and how to set up Conditional Forwarding. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2000 logon process
    ... Paul Williams ... when clients are accessing the GPO stored in SYSVOL during logon. ... PW>> Sound's like - that's a combination of DNS and Dfs client pointing ... Global Catalogue servers? ...
    (microsoft.public.win2000.active_directory)
  • Re: Stub Zone or Conditional Fowarding?
    ... Fastest way to resolve is = Secondary Zones - Why? ... Forwarding = You have better control of which servers does your Server ... contact for queries resolution. ... automatically, so if new DNS servers are added, your DNS server you'll know ...
    (microsoft.public.windows.server.dns)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... You already have 80% of the work setup (DNS Aliases and HostHeaders) on the ... domain accounts (one for each layer) should be sufficient. ... The Application Servers are load balanced clustered, ... as the account name and SPN alias is correctly defined on both nodes. ...
    (microsoft.public.inetserver.iis.security)