Re: potential DNS security issue

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/21/04

  • Next message: Chris: "Re: potential DNS security issue"
    Date: Tue, 21 Dec 2004 20:07:37 GMT
    
    

    OK. Well I don't know the answer to what is going on and you said you have
    secure cache against pollution already selected. What might be interesting
    is to configure your internals dns server to either use root hints only or
    forward to your ISP dns server only to see if it makes a difference which
    one you use to resolve your internet names. If your ISP has multiple dns
    servers, try using a different dns server than you are now. --- Steve

    "Chris" <chris23@ic-2000.com> wrote in message
    news:8S_xd.14270$6N6.4605@fe10.lga...
    > It was definately the server. I tried the ipconfig /flushdns first and
    > that didn't fix anything. It only cleared up after I cleared the cache in
    > the management console. It was happening on all clients using this dns
    > server as well, of course. Everything resolved to same IP except zones
    > this server serves.
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:vE_xd.302355$R05.85785@attbi_s53...
    >> That is scary. Did you clear the client cache via ipconfig /flushdns or
    >> did you clear the dns server cache via the dns Management Console where
    >> you have to find the cached lookups folder, right click and select clear
    >> cache? You have to select view-advanced to see the cached folder. Also
    >> when you use nslookup on a computer doing that do all names [Yahoo.com,
    >> Microsoft.com, etc] resolve to the same IP addresses. I am wondering if
    >> it is a dns client or dns server problem. --- Steve
    >>
    >>
    >> "Chris" <chris23@ic-2000.com> wrote in message
    >> news:luZxd.14261$n26.1929@fe10.lga...
    >>>I posted this to the dns group, but thought it might be appropriate here
    >>>too. I think this is a security issue as well:
    >>>
    >>> This morning on of our DNS servers started responding to all requests
    >>> with the same IP address. The only exceptions were sites that the
    >>> server was authoritative for. I fixed it by clearing the cache, but I
    >>> have to wonder how this is happening. This server runs Windows 2000 dns
    >>> and has the "secure cache against pollution" option set (and I confirmed
    >>> it in the registry).
    >>>
    >>> I contacted Microsoft and they had no idea what might be happening.
    >>> They thought that one of the root servers may have been compromised. I
    >>> find this hard to believe however. I found this link on the web:
    >>> http://www.atsnn.com/story/105049.html which describes a similar
    >>> situation. It appears that this has occured to others over the last few
    >>> weeks, and any root server problems probably would have been dealt with.
    >>>
    >>> Has anyone seen this before. It seems like a vulnerability that has not
    >>> yet been addressed. However, maybe its just a vulnerability in DNS in
    >>> general. Any thoughts?
    >>>
    >>
    >>
    >
    >


  • Next message: Chris: "Re: potential DNS security issue"

    Relevant Pages

    • Re: clients using DHCP cannot resolve names after a while
      ... > domain that we can't resolve names to. ... > issue arises we can get a response from whatever is in the DNS server ... > cache but it won't forward to the the other domains DNS server unless ... I know it sounds strange, that's cause it is VERY strange. ...
      (microsoft.public.windows.server.dns)
    • Re: Dns Cache -- Thanks for any help
      ... > When a workstation cannot resolve a browser request and the request is ... > to the local dns server and it cannot locally resolve but must forward the ... > the size of the Win 2K server's dns cache? ...
      (microsoft.public.win2000.dns)
    • Re: Dns Cache -- Thanks for any help
      ... > When a workstation cannot resolve a browser request and the request is ... > to the local dns server and it cannot locally resolve but must forward the ... > the size of the Win 2K server's dns cache? ...
      (microsoft.public.windows.server.dns)
    • Re: Slow forwarding response for yahoo.com (mx)
      ... It just means that the client gave up while the DNS server was chasing down ... If you clear the Cache, ... > My DNS server wouldn't resolve the MX records for yahoo.com. ...
      (microsoft.public.win2000.dns)
    • RE: strange DNS behavior over the last 2 days
      ... when I see different results from NSLOOKUP and PING, ... NetBIOS names, you might consider confirming your firewall blocks NetBIOS ... you might read the article at www.cert.org concerning DNS cache ... machines and regardless of which DNS server we point them to, ...
      (Incidents)