Re: potential DNS security issue

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/21/04 

Date: Tue, 21 Dec 2004 19:16:43 GMT

That is scary. Did you clear the client cache via ipconfig /flushdns or did
you clear the dns server cache via the dns Management Console where you have
to find the cached lookups folder, right click and select clear cache? You
have to select view-advanced to see the cached folder. Also when you use
nslookup on a computer doing that do all names [Yahoo.com, Microsoft.com,
etc] resolve to the same IP addresses. I am wondering if it is a dns client
or dns server problem. --- Steve

"Chris" <chris23@ic-2000.com> wrote in message
news:luZxd.14261$n26.1929@fe10.lga...
>I posted this to the dns group, but thought it might be appropriate here
>too. I think this is a security issue as well:
>
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
> this hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
> situation. It appears that this has occured to others over the last few
> weeks, and any root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
> yet been addressed. However, maybe its just a vulnerability in DNS in
> general. Any thoughts?
>

Relevant Pages

  • Re: [WARNING] The DNS Resolver Cache service is not running.
    ... It prevents anyone (at least on the server) from ... receiving, DNS Resolver Cache no running, so sorry. ... DHCP Client Service ...
    (microsoft.public.win2000.dns)
  • Re: RPC is unavailable when try to transfer FSMO Roles
    ... on the DNS server ... Registry value: DnsAvoidRegisterRecords ... To stop registration of both NICs, add or alter this ...
    (microsoft.public.windows.server.active_directory)
  • Re: RPC is unavailable when try to transfer FSMO Roles
    ... prevent the public interface addresses from being registered in DNS. ... In the DNS management console, in the properties of the DNS server, ... Registry value: DnsAvoidRegisterRecords ... To stop registration of both NICs, add or alter this reg ...
    (microsoft.public.windows.server.active_directory)
  • Re: Permissions across 2 Forrest
    ... Primary DNS server on 1.x and the 18.x network along with DHCP and WINS. ... For instance ForrestA DNS is now a secondary for Forrest B and vise versa. ... WINS clients must use the same "WINS Database"* ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 and Replication Errors with Remote DC
    ... alpha server as soon as you can to get things going. ... A simple DNS replication test is to create a host record in the SBS server ... Domain Controller Diagnosis ...
    (microsoft.public.windows.server.sbs)