Data mining from a nameserver?

[Phil]

Archived from groups: microsoft.public.win2000.dns (More info?)

If a Win2K server is running a public DNS server and has a firewall
permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
tell if unauthorised access is getting a list of domain names? e.g.
I've heard of http-tunnelling. Does the DNS server handle its own
temp logon like iusr_servername? The firewall logs are showing
outbound packets blocked to certain name servers from Winlogon
which doesn't have internet access as there are no remote servers.
Are there any other programs or services that should not have either
direct internet access or be able to access the internet via another
program or open process? I could do with some guidance because I
think a spammer has obtained info. Thanks, Phil

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Phil" <philmarshcz@netscape.netREM> wrote in message
news:%238GwPhggEHA.3272@TK2MSFTNGP11.phx.gbl...
> If a Win2K server is running a public DNS server and has a firewall
> permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
> tell if unauthorised access is getting a list of domain names? e.g.
> I've heard of http-tunnelling. Does the DNS server handle its own
> temp logon like iusr_servername? The firewall logs are showing
> outbound packets blocked to certain name servers from Winlogon
> which doesn't have internet access as there are no remote servers.
> Are there any other programs or services that should not have either
> direct internet access or be able to access the internet via another
> program or open process? I could do with some guidance because I
> think a spammer has obtained info. Thanks, Phil
>

I may be arguing symantics, but ...

>> If a Win2K server is running a public DNS server ... how can I tell if
unauthorised access is getting a list of domain names?

It is a public DNS server. That means if anybody wants to probe it for all
the machine names in your domain, they can. By making it public, you've
"authorized" access to everybody.

DNS does not require a login in order for someone to query the server. It is
a "read only" service. No need to fear.

Are those blocked outbound packets perhaps on Port 135-139? If so, it is the
result of several Windows services being successfully blocked from leaking
out to the Internet (just as they should be). It is all normal chatter.

http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

>> Are there any other programs or services that should not have either
direct internet access or be able to access the internet via another program
or open process?

Yeah, tons of them. Not just "regular" services either. Study up on
"spyware" and "malware" in addition to "viruses", "worms" and "trojans" if
you want to lose sleep.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

--
Herb Martin


"MyndPhlyp" <nobody@homeright.now> wrote in message
news:uP7Z$DigEHA.3148@TK2MSFTNGP10.phx.gbl...
>
> "Phil" <philmarshcz@netscape.netREM> wrote in message
> news:%238GwPhggEHA.3272@TK2MSFTNGP11.phx.gbl...
> > If a Win2K server is running a public DNS server and has a firewall
> > permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
> > tell if unauthorised access is getting a list of domain names? e.g.


> I may be arguing symantics, but ...

Arguing "semantics" does make sense in many cases --
semantics is the study of MEANING. Arguing semantics
when the real issue is something else is however the what
most people refer to when they criticise you for it.

So: Go for it.

> >> If a Win2K server is running a public DNS server ... how can I tell if
> unauthorised access is getting a list of domain names?
>
> It is a public DNS server. That means if anybody wants to probe it for all
> the machine names in your domain, they can. By making it public, you've
> "authorized" access to everybody.

Actually I know of know way through normal DNS queries to get a
"list of domains" (in the sense of ZONES since technically ever DNS
name is a 'domain' in classical DNS terminology.)

You can of course do this with an RPC query or perhaps using some
tool provided with BIND but not through a normal DNS query on
an MS DNS server.

You can also specify tha only allowed IP addresses can do zone
transfers (MMC) which allows disallows things like the "nslookup
list" command.

Finally, a public DNS server should ONLY have public services
so having someone discover them should just amount to "good
advertising."

(Don't allow your internal resources to appear in external DNS.)

 

[Phil]

Archived from groups: microsoft.public.win2000.dns (More info?)

That's probably me not phrasing the question very well. Under normal circumstances,
a DNS server replies to requests for an IP address to a website or email delivery
requirement, normal port 53 stuff. The DNS server would only give out the relevant
info per the single request. I am referring to the gathering of a list of all
domain names
being hosted on the DNS server for other than the above normal usage.

Blocked packets were not 135 thru' 139, winlogon was trying to send packets out to a
nameserver which I know to be hostile.

Thanks for the link, I'll go lose some more sleep

MyndPhlyp wrote:
[snip]
> It is a public DNS server. That means if anybody wants to probe it for all
> the machine names in your domain, they can. By making it public, you've
> "authorized" access to everybody.
>
> DNS does not require a login in order for someone to query the server. It is
> a "read only" service. No need to fear.
>
> Are those blocked outbound packets perhaps on Port 135-139? If so, it is the
> result of several Windows services being successfully blocked from leaking
> out to the Internet (just as they should be). It is all normal chatter.
>
> http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp
>
>
>>>Are there any other programs or services that should not have either
>
> direct internet access or be able to access the internet via another program
> or open process?
>
> Yeah, tons of them. Not just "regular" services either. Study up on
> "spyware" and "malware" in addition to "viruses", "worms" and "trojans" if
> you want to lose sleep.
>
>

 

[Phil]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for your comments, RPC is closed to the internet. In that
case I'll divert my attentions to an IIS5 compromise. Zone records
are all set for no transfer, listing prevented. As per the original post,
there are only a handful of ports open so maybe http-tunnelling or
similar - back to the security review

Herb Martin wrote:
Actually I know of know way through normal DNS queries to get a
"list of domains" (in the sense of ZONES since technically ever DNS
name is a 'domain' in classical DNS terminology.)

You can of course do this with an RPC query or perhaps using some
tool provided with BIND but not through a normal DNS query on
an MS DNS server.

You can also specify tha only allowed IP addresses can do zone
transfers (MMC) which allows disallows things like the "nslookup
list" command.

Finally, a public DNS server should ONLY have public services
so having someone discover them should just amount to "good
advertising."

(Don't allow your internal resources to appear in external DNS.)

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Phil" <philmarshcz@netscape.netREM> wrote in message
news:#Hi$5higEHA.2928@TK2MSFTNGP10.phx.gbl...
> That's probably me not phrasing the question very well. Under normal
circumstances,
> a DNS server replies to requests for an IP address to a website or email
delivery
> requirement, normal port 53 stuff. The DNS server would only give out the
relevant
> info per the single request. I am referring to the gathering of a list of
all
> domain names
> being hosted on the DNS server for other than the above normal usage.


Make sure you specify which IP are allowed "zone transfers"
if any -- not quite what you are discussing but it's a good
practice too.

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23Hi$5higEHA.2928@TK2MSFTNGP10.phx.gbl,
Phil <philmarshcz@netscape.netREM> wrote their comments
Then Kevin replied below:
> That's probably me not phrasing the question very well.
> Under normal circumstances,
> a DNS server replies to requests for an IP address to a
> website or email delivery
> requirement, normal port 53 stuff. The DNS server would
> only give out the relevant
> info per the single request. I am referring to the
> gathering of a list of all
> domain names
> being hosted on the DNS server for other than the above
> normal usage.
>
> Blocked packets were not 135 thru' 139, winlogon was
> trying to send packets out to a
> nameserver which I know to be hostile.
>
> Thanks for the link, I'll go lose some more sleep

If your firewall was not logging 135 and 139 hits and the users was able to
get to Winlogon, tells me you need to check your firewall configuration. At
least your firewall is preventing winlogon from getting out.

The only explanation I can think of is a Trojan trying to set up the
connection. Then someone is trying to use dnscmd to enumerated the zones.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================

 

[Phil]

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the input, zones are marked transfer to nameservers on tab only.
I'm running anti-virus, trojan, malware, spyware programs and coming up
clean every day. Firewall handles specific access in/out bound on a per
program, or even component, basis and I'm keeping an eye on that.

One thing comes to mind, I'm in the process of cleaning up a lost container
in AD and I've found that AD still has the old IP address of the lost server,
so could it be AD trying to contact this old IP?

Kevin D. Goodknecht Sr. [MVP] wrote:

[snip]
> If your firewall was not logging 135 and 139 hits and the users was able to
> get to Winlogon, tells me you need to check your firewall configuration. At
> least your firewall is preventing winlogon from getting out.
>
> The only explanation I can think of is a Trojan trying to set up the
> connection. Then someone is trying to use dnscmd to enumerated the zones.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Phil" <philmarshcz@netscape.netREM> wrote in message
news:#0u2LBvgEHA.536@TK2MSFTNGP11.phx.gbl...
> Thanks for the input, zones are marked transfer to nameservers on tab
only.
> I'm running anti-virus, trojan, malware, spyware programs and coming up
> clean every day. Firewall handles specific access in/out bound on a per
> program, or even component, basis and I'm keeping an eye on that.
>
> One thing comes to mind, I'm in the process of cleaning up a lost
container
> in AD and I've found that AD still has the old IP address of the lost
server,
> so could it be AD trying to contact this old IP?

Yes, the other DCs will still be trying to read it.

Search Google for:

[ DC domain ntdsutil "metadata cleanup" site:microsoft.com ]

or

[ DC domain ntdsutil "metadata cleanup" microsoft: ]

The latter searches Google's web wide MS "collection" while
the former searches just the MS site.


--
Herb Martin


>
> Kevin D. Goodknecht Sr. [MVP] wrote:
>
> [snip]
> > If your firewall was not logging 135 and 139 hits and the users was able
to
> > get to Winlogon, tells me you need to check your firewall configuration.
At
> > least your firewall is preventing winlogon from getting out.
> >
> > The only explanation I can think of is a Trojan trying to set up the
> > connection. Then someone is trying to use dnscmd to enumerated the
zones.
> >
> >
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

P> If a Win2K server is running a public DNS server and has a firewall
P> permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
P> tell if unauthorised access is getting a list of domain names?

If you have a DNS server providing public content DNS service, then
there is no such thing as unauthorised access to the data that it
publishes, and your question is without meaning. Public content DNS
service is publication of all of the data in one's DNS database. If you
don't want your data to be public, you shouldn't be publishing them in
the first place.