Data mining from a nameserver?

Archived from groups: microsoft.public.win2000.dns (More info?)

If a Win2K server is running a public DNS server and has a firewall
permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
tell if unauthorised access is getting a list of domain names? e.g.
I've heard of http-tunnelling. Does the DNS server handle its own
temp logon like iusr_servername? The firewall logs are showing
outbound packets blocked to certain name servers from Winlogon
which doesn't have internet access as there are no remote servers.
Are there any other programs or services that should not have either
direct internet access or be able to access the internet via another
program or open process? I could do with some guidance because I
think a spammer has obtained info. Thanks, Phil
9 answers Last reply
More about data mining nameserver
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    "Phil" <philmarshcz@netscape.netREM> wrote in message
    news:%238GwPhggEHA.3272@TK2MSFTNGP11.phx.gbl...
    > If a Win2K server is running a public DNS server and has a firewall
    > permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
    > tell if unauthorised access is getting a list of domain names? e.g.
    > I've heard of http-tunnelling. Does the DNS server handle its own
    > temp logon like iusr_servername? The firewall logs are showing
    > outbound packets blocked to certain name servers from Winlogon
    > which doesn't have internet access as there are no remote servers.
    > Are there any other programs or services that should not have either
    > direct internet access or be able to access the internet via another
    > program or open process? I could do with some guidance because I
    > think a spammer has obtained info. Thanks, Phil
    >

    I may be arguing symantics, but ...

    >> If a Win2K server is running a public DNS server ... how can I tell if
    unauthorised access is getting a list of domain names?

    It is a public DNS server. That means if anybody wants to probe it for all
    the machine names in your domain, they can. By making it public, you've
    "authorized" access to everybody.

    DNS does not require a login in order for someone to query the server. It is
    a "read only" service. No need to fear.

    Are those blocked outbound packets perhaps on Port 135-139? If so, it is the
    result of several Windows services being successfully blocked from leaking
    out to the Internet (just as they should be). It is all normal chatter.

    http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp

    >> Are there any other programs or services that should not have either
    direct internet access or be able to access the internet via another program
    or open process?

    Yeah, tons of them. Not just "regular" services either. Study up on
    "spyware" and "malware" in addition to "viruses", "worms" and "trojans" if
    you want to lose sleep.
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    --
    Herb Martin


    "MyndPhlyp" <nobody@homeright.now> wrote in message
    news:uP7Z$DigEHA.3148@TK2MSFTNGP10.phx.gbl...
    >
    > "Phil" <philmarshcz@netscape.netREM> wrote in message
    > news:%238GwPhggEHA.3272@TK2MSFTNGP11.phx.gbl...
    > > If a Win2K server is running a public DNS server and has a firewall
    > > permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
    > > tell if unauthorised access is getting a list of domain names? e.g.


    > I may be arguing symantics, but ...

    Arguing "semantics" does make sense in many cases --
    semantics is the study of MEANING. Arguing semantics
    when the real issue is something else is however the what
    most people refer to when they criticise you for it.

    So: Go for it.

    > >> If a Win2K server is running a public DNS server ... how can I tell if
    > unauthorised access is getting a list of domain names?
    >
    > It is a public DNS server. That means if anybody wants to probe it for all
    > the machine names in your domain, they can. By making it public, you've
    > "authorized" access to everybody.

    Actually I know of know way through normal DNS queries to get a
    "list of domains" (in the sense of ZONES since technically ever DNS
    name is a 'domain' in classical DNS terminology.)

    You can of course do this with an RPC query or perhaps using some
    tool provided with BIND but not through a normal DNS query on
    an MS DNS server.

    You can also specify tha only allowed IP addresses can do zone
    transfers (MMC) which allows disallows things like the "nslookup
    list" command.

    Finally, a public DNS server should ONLY have public services
    so having someone discover them should just amount to "good
    advertising."

    (Don't allow your internal resources to appear in external DNS.)
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    That's probably me not phrasing the question very well. Under normal circumstances,
    a DNS server replies to requests for an IP address to a website or email delivery
    requirement, normal port 53 stuff. The DNS server would only give out the relevant
    info per the single request. I am referring to the gathering of a list of all
    domain names
    being hosted on the DNS server for other than the above normal usage.

    Blocked packets were not 135 thru' 139, winlogon was trying to send packets out to a
    nameserver which I know to be hostile.

    Thanks for the link, I'll go lose some more sleep :-)

    MyndPhlyp wrote:
    [snip]
    > It is a public DNS server. That means if anybody wants to probe it for all
    > the machine names in your domain, they can. By making it public, you've
    > "authorized" access to everybody.
    >
    > DNS does not require a login in order for someone to query the server. It is
    > a "read only" service. No need to fear.
    >
    > Are those blocked outbound packets perhaps on Port 135-139? If so, it is the
    > result of several Windows services being successfully blocked from leaking
    > out to the Internet (just as they should be). It is all normal chatter.
    >
    > http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp
    >
    >
    >>>Are there any other programs or services that should not have either
    >
    > direct internet access or be able to access the internet via another program
    > or open process?
    >
    > Yeah, tons of them. Not just "regular" services either. Study up on
    > "spyware" and "malware" in addition to "viruses", "worms" and "trojans" if
    > you want to lose sleep.
    >
    >
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks for your comments, RPC is closed to the internet. In that
    case I'll divert my attentions to an IIS5 compromise. Zone records
    are all set for no transfer, listing prevented. As per the original post,
    there are only a handful of ports open so maybe http-tunnelling or
    similar - back to the security review :-)

    Herb Martin wrote:
    Actually I know of know way through normal DNS queries to get a
    "list of domains" (in the sense of ZONES since technically ever DNS
    name is a 'domain' in classical DNS terminology.)

    You can of course do this with an RPC query or perhaps using some
    tool provided with BIND but not through a normal DNS query on
    an MS DNS server.

    You can also specify tha only allowed IP addresses can do zone
    transfers (MMC) which allows disallows things like the "nslookup
    list" command.

    Finally, a public DNS server should ONLY have public services
    so having someone discover them should just amount to "good
    advertising."

    (Don't allow your internal resources to appear in external DNS.)
  5. Archived from groups: microsoft.public.win2000.dns (More info?)

    "Phil" <philmarshcz@netscape.netREM> wrote in message
    news:#Hi$5higEHA.2928@TK2MSFTNGP10.phx.gbl...
    > That's probably me not phrasing the question very well. Under normal
    circumstances,
    > a DNS server replies to requests for an IP address to a website or email
    delivery
    > requirement, normal port 53 stuff. The DNS server would only give out the
    relevant
    > info per the single request. I am referring to the gathering of a list of
    all
    > domain names
    > being hosted on the DNS server for other than the above normal usage.


    Make sure you specify which IP are allowed "zone transfers"
    if any -- not quite what you are discussing but it's a good
    practice too.
  6. Archived from groups: microsoft.public.win2000.dns (More info?)

    In news:%23Hi$5higEHA.2928@TK2MSFTNGP10.phx.gbl,
    Phil <philmarshcz@netscape.netREM> wrote their comments
    Then Kevin replied below:
    > That's probably me not phrasing the question very well.
    > Under normal circumstances,
    > a DNS server replies to requests for an IP address to a
    > website or email delivery
    > requirement, normal port 53 stuff. The DNS server would
    > only give out the relevant
    > info per the single request. I am referring to the
    > gathering of a list of all
    > domain names
    > being hosted on the DNS server for other than the above
    > normal usage.
    >
    > Blocked packets were not 135 thru' 139, winlogon was
    > trying to send packets out to a
    > nameserver which I know to be hostile.
    >
    > Thanks for the link, I'll go lose some more sleep :-)

    If your firewall was not logging 135 and 139 hits and the users was able to
    get to Winlogon, tells me you need to check your firewall configuration. At
    least your firewall is preventing winlogon from getting out.

    The only explanation I can think of is a Trojan trying to set up the
    connection. Then someone is trying to use dnscmd to enumerated the zones.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
  7. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks for the input, zones are marked transfer to nameservers on tab only.
    I'm running anti-virus, trojan, malware, spyware programs and coming up
    clean every day. Firewall handles specific access in/out bound on a per
    program, or even component, basis and I'm keeping an eye on that.

    One thing comes to mind, I'm in the process of cleaning up a lost container
    in AD and I've found that AD still has the old IP address of the lost server,
    so could it be AD trying to contact this old IP?

    Kevin D. Goodknecht Sr. [MVP] wrote:

    [snip]
    > If your firewall was not logging 135 and 139 hits and the users was able to
    > get to Winlogon, tells me you need to check your firewall configuration. At
    > least your firewall is preventing winlogon from getting out.
    >
    > The only explanation I can think of is a Trojan trying to set up the
    > connection. Then someone is trying to use dnscmd to enumerated the zones.
    >
    >
  8. Archived from groups: microsoft.public.win2000.dns (More info?)

    "Phil" <philmarshcz@netscape.netREM> wrote in message
    news:#0u2LBvgEHA.536@TK2MSFTNGP11.phx.gbl...
    > Thanks for the input, zones are marked transfer to nameservers on tab
    only.
    > I'm running anti-virus, trojan, malware, spyware programs and coming up
    > clean every day. Firewall handles specific access in/out bound on a per
    > program, or even component, basis and I'm keeping an eye on that.
    >
    > One thing comes to mind, I'm in the process of cleaning up a lost
    container
    > in AD and I've found that AD still has the old IP address of the lost
    server,
    > so could it be AD trying to contact this old IP?

    Yes, the other DCs will still be trying to read it.

    Search Google for:

    [ DC domain ntdsutil "metadata cleanup" site:microsoft.com ]

    or

    [ DC domain ntdsutil "metadata cleanup" microsoft: ]

    The latter searches Google's web wide MS "collection" while
    the former searches just the MS site.


    --
    Herb Martin


    >
    > Kevin D. Goodknecht Sr. [MVP] wrote:
    >
    > [snip]
    > > If your firewall was not logging 135 and 139 hits and the users was able
    to
    > > get to Winlogon, tells me you need to check your firewall configuration.
    At
    > > least your firewall is preventing winlogon from getting out.
    > >
    > > The only explanation I can think of is a Trojan trying to set up the
    > > connection. Then someone is trying to use dnscmd to enumerated the
    zones.
    > >
    > >
    >
  9. Archived from groups: microsoft.public.win2000.dns (More info?)

    P> If a Win2K server is running a public DNS server and has a firewall
    P> permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
    P> tell if unauthorised access is getting a list of domain names?

    If you have a DNS server providing public content DNS service, then
    there is no such thing as unauthorised access to the data that it
    publishes, and your question is without meaning. Public content DNS
    service is publication of all of the data in one's DNS database. If you
    don't want your data to be public, you shouldn't be publishing them in
    the first place.
Ask a new question

Read More

Internet Access DNS Server Servers Windows