Re: Strange DNS problem
From: C Hall (someone_at_microsoft.com)
Date: 04/19/05
- Next message: Roger Abell: "Re: Strange DNS problem"
- Previous message: Roger Abell: "Re: Run InternetExplorer in a diffent NON ADMIN Account"
- In reply to: Roger Abell: "Re: Strange DNS problem"
- Next in thread: Roger Abell: "Re: Strange DNS problem"
- Reply: Roger Abell: "Re: Strange DNS problem"
- Reply: Herb Martin: "Re: Strange DNS problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Apr 2005 10:33:02 -0400
Roger and everyone,
Thanks for the replies.
Roger,
That was my first thought--DNS cache poisoning. The one reason I thought
that it just may be an internal configuration problem is that the zone I'm
using is already in use as an Internet domain space--a mistake on my part. I
talked to the third party to whom the address belongs and they are a ISP and
it belongs to one of their name servers. After running a trace, they said
they saw our address trying to do a zone transfer, which with the ids still
logging nmap sweeps it appears this is still going on. I'm trying to follow
the suggestions from Kevin in the DNS forum, but the fustrating thing is
that I'm told by my boss to not touch it until after Friday when our
auditors leave. He's concerned that any work on the domain will effect one
of our mission specific applications, but there's no way it can be. People
have local user accounts on that machine and have mapped drives to what they
need on that server. I'm no guru, but he just doesn't understand MS
networking. I'm stuck at the moment. How long can I leave this situation
limping? 60 days (tombstoning limit)?
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:Ox3mxuIRFHA.3628@TK2MSFTNGP12.phx.gbl...
> Do not be so fast on saying you did not have a security problem.
> You said "the IP" of some alien host
> 1. showed up as NS when you attempted to redefine the zone
> for your AD
> 2. your zone on one AD had changed to secondary (a DC/DNS will
> not do this, as you discovered when attempting to revert it)
> 3. you said "the IP" had been seen as the origin of nmap etc scans.
> That all sounds to me like you have a security issue.
> You perhaps had poisoned cache allowing the bad NS to show up
> when the zone redefinition was attempted. You perhaps had a DNS
> zone under outside control (sort of implies a DC also) and being used
> perhaps for injection of some machine within network communications.
>
> To recover fast, you can always collect together the netlogon.dns files
> from each of the three DCs. These you would merge into a single file
> in which you would need to adjust the SOA record so that it represents
> only one of the NS (DCs) records.
> You could use this as a std primary on one DC and secondary on the
> other two, in order to bootstrap AD functionality between DCs.
> Then change to AD integrated and make sure that you have set it to
> allow only secured dynamic updates (and to protect against cache
> pollution).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "C Hall" <someone@microsoft.com> wrote in message
> news:uxOaLXFRFHA.3788@tk2msftngp13.phx.gbl...
> > Steven,
> >
> > Thanks for the post. It's looking like a rebuild of one DC (not a FSMO
> role
> > holder). I didn't allow enough disk space and that's causing problems.
> Aside
> > from that, there are a bunch of errors in the logs, I can't open ADU&C
to
> > follow the guidance of the the dns group (Kevin). Armed with new info, I
> > don't think this is a security problem at this point. I will look at the
> > links below. Thanks again.
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:uQgM2LFRFHA.1528@TK2MSFTNGP09.phx.gbl...
> > > See the link below which may help in rebuilding you dns zones. I
suggest
> > > that unless your organization requires otherwise, use only AD
integrated
> > > zones, do not allow zone transfers to other dns servers if not needed[
> > this
> > > is not needed for AD integrated dns zones and never select "to any"],
> and
> > > require secure updates unless you have a need to not use that. You may
> > also
> > > want to post in the win2000.dns newsgroup. Keep in mind that if you
> delete
> > > an AD dns zone, that zone will be totally deleted from Active
Directory
> > and
> > > not just that server. You also need to have some patience when
> rebuilding
> > > your dns as replication will not be immediate to other dns
> servers/domain
> > > controllers. Another alternative could be an authoritative restore of
> > Active
> > > Directory from a recent System State backup of a domain controller for
> AD
> > > integrated dns zones. --- Steve
> > >
> > > http://support.microsoft.com/?kbid=260371 -- see To repair the Active
> > > Directory DNS record registration
> > >
tp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
> > DNS
> > > best practices.
> > >
> > >
> > > "C Hall" <someone@microsoft.com> wrote in message
> > > news:%233giL7BRFHA.904@tk2msftngp13.phx.gbl...
> > > > Good morning,
> > > >
> > > > This past Friday, I was having problems with my DNS. The short
version
> > is
> > > > that I ended up deleting our zones and am in the process of
resolving
> > that
> > > > problem. However, when I went to do this last Friday, a DNS server
> from
> > > > another organization showed up as the SOA for the newly created
zone.
> I
> > > > had
> > > > been receiving alerts most of the day that this ip address was doing
a
> > > > nmap
> > > > udp port sweep. I talked to the vendor this morning and they had no
> > idea.
> > > > For more details, I'm providing the post to the dns forum where I'm
> > trying
> > > > to resolve the issue of being able to recreate the zone. It seemed
> like
> > we
> > > > were getting compromised.
> > > >
> > > > DNS Post:
> > > > We have three DCs--DC1, DC2, and DC3. We had an AD Integrated zone
for
>
> > our
> > > > forward lookup zone. On DC3, the zone showed as a secondary zone, so
I
> > > > tried
> > > > to change the type to an AD integrated zone (right-click,
properties,
> > > > etc...), but it wouldn't allow it. I didn't write down the actual
> > message,
> > > > but I was given two options: use the current zone or use the AD
zone.
> > > > Neither option would work. I decided to delete the zone, thinking
that
> > > > since
> > > > the zone was a secondary zone that it would just die and I would be
> able
> > > > to
> > > > create an AD zone or that the AD zone would replicate over. That
> didn't
> > > > work. In fact, the AD zone disappeared on both DC1 and DC2.
> > > >
> > > > Next, I panicked and posted my previous thread ("Urgent!!!").
> > > >
> > > > I have just tried creating a Primary zone on DC1 and created
secondary
> > > > zones
> > > > on DC2 & DC3. Then I ran Netdiag /fix. I wish I could say that I
saved
> > the
> > > > results to a text file, but I didn't. I did get it printed, though.
> The
> > > > DNS
> > > > test shows it failed (surprise) with several FATAL errors trying to
> > > > recreate
> > > > dns entries. I had set the zone to allow dynamic updates, accept
> updates
> > > > from all servers and had manually entered NS, A and PTR records for
> all
> > > > DCs.
> > > > At this point, all zones have once again disappeared--the primary on
> the
> > > > master and the two secondary zones.
> > > >
> > > >
> > > > Any clues would be appreciated.
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Roger Abell: "Re: Strange DNS problem"
- Previous message: Roger Abell: "Re: Run InternetExplorer in a diffent NON ADMIN Account"
- In reply to: Roger Abell: "Re: Strange DNS problem"
- Next in thread: Roger Abell: "Re: Strange DNS problem"
- Reply: Roger Abell: "Re: Strange DNS problem"
- Reply: Herb Martin: "Re: Strange DNS problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
