DNS spoofing - security problems...
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.dns (More info?)
This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).
I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.
Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).
I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.
Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
More about : dns spoofing security problems
Archived from groups: microsoft.public.win2000.dns (More info?)
"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
One wonders:
1) Do you have block Cache Polution (in Advance) enabled
2) Do you know what your Forwarder (ISP or whatever) if
any is doing?
3) How do your Root Hints look?
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?
--
Herb Martin
>
>
"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
One wonders:
1) Do you have block Cache Polution (in Advance) enabled
2) Do you know what your Forwarder (ISP or whatever) if
any is doing?
3) How do your Root Hints look?
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?
--
Herb Martin
>
>
Archived from groups: microsoft.public.win2000.dns (More info?)
The cache pollution is box was checked (and it was before this happened). I
don't have a forwarder set, and I double checked the root hints and they
match another list I found online.
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>
> One wonders:
>
> 1) Do you have block Cache Polution (in Advance) enabled
>
> 2) Do you know what your Forwarder (ISP or whatever) if
> any is doing?
>
> 3) How do your Root Hints look?
>
>
The cache pollution is box was checked (and it was before this happened). I
don't have a forwarder set, and I double checked the root hints and they
match another list I found online.
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>
> One wonders:
>
> 1) Do you have block Cache Polution (in Advance) enabled
>
> 2) Do you know what your Forwarder (ISP or whatever) if
> any is doing?
>
> 3) How do your Root Hints look?
>
>
Archived from groups: microsoft.public.win2000.dns (More info?)
"Chris" <chris23@ic-2000.com> wrote in message
news:TXZxd.14265$Ig6.4458@fe10.lga...
> The cache pollution is box was checked (and it was before this happened).
I
> don't have a forwarder set, and I double checked the root hints and they
> match another list I found online.
>
Darn. I was hoping it was going to be easy.
How about monitoring outgoing requests using
debug logging (in the DNS server properties) and
try to get an idea of where these addresses are
originating....
--
Herb Martin
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> > "Chris" <chris23@ic-2000.com> wrote in message
> > news:irZxd.14260$8V5.9878@fe10.lga...
> >> This morning on of our DNS servers started responding to all requests
> >> with
> >> the same IP address. The only exceptions were sites that the server
was
> >> authoritative for. I fixed it by clearing the cache, but I have to
> >> wonder
> >> how this is happening. This server runs Windows 2000 dns and has the
> >> "secure cache against pollution" option set (and I confirmed it in the
> >> registry).
> >
> > One wonders:
> >
> > 1) Do you have block Cache Polution (in Advance) enabled
> >
> > 2) Do you know what your Forwarder (ISP or whatever) if
> > any is doing?
> >
> > 3) How do your Root Hints look?
> >
> >
>
>
"Chris" <chris23@ic-2000.com> wrote in message
news:TXZxd.14265$Ig6.4458@fe10.lga...
> The cache pollution is box was checked (and it was before this happened).
I
> don't have a forwarder set, and I double checked the root hints and they
> match another list I found online.
>
Darn. I was hoping it was going to be easy.
How about monitoring outgoing requests using
debug logging (in the DNS server properties) and
try to get an idea of where these addresses are
originating....
--
Herb Martin
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> > "Chris" <chris23@ic-2000.com> wrote in message
> > news:irZxd.14260$8V5.9878@fe10.lga...
> >> This morning on of our DNS servers started responding to all requests
> >> with
> >> the same IP address. The only exceptions were sites that the server
was
> >> authoritative for. I fixed it by clearing the cache, but I have to
> >> wonder
> >> how this is happening. This server runs Windows 2000 dns and has the
> >> "secure cache against pollution" option set (and I confirmed it in the
> >> registry).
> >
> > One wonders:
> >
> > 1) Do you have block Cache Polution (in Advance) enabled
> >
> > 2) Do you know what your Forwarder (ISP or whatever) if
> > any is doing?
> >
> > 3) How do your Root Hints look?
> >
> >
>
>
Related ressources
- Identity spoofing ? - Forum
- SPF record in Microsoft DNS - Forum
- They're Out to Get You - An Introduction to I-net Security - Forum
- Possible DNS problem - Forum
- Is There a Virus that Breaks DNS ? - Forum
Archived from groups: microsoft.public.win2000.dns (More info?)
Next time around we really need to get info on what is in the cache,
as obviously that is the source of propagation to your clients.
--
Roger
"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?
>
>
Next time around we really need to get info on what is in the cache,
as obviously that is the source of propagation to your clients.
--
Roger
"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?
>
>
Archived from groups: microsoft.public.win2000.dns (More info?)
Yeah, I know. I wish I didn't clear it before taking a look at its
contents. If it happens again, I definately will take a look at it.
"Roger Abell" <mvpNoSpam@asu.edu> wrote in message
news:uv1%231GD6EHA.3828@TK2MSFTNGP09.phx.gbl...
> Next time around we really need to get info on what is in the cache,
> as obviously that is the source of propagation to your clients.
> --
> Roger
>
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>>
>> I contacted Microsoft and they had no idea what might be happening. They
>> thought that one of the root servers may have been compromised. I find
> this
>> hard to believe however. I found this link on the web:
>> http://www.atsnn.com/story/105049.html which describes a similar
> situation.
>> It appears that this has occured to others over the last few weeks, and
> any
>> root server problems probably would have been dealt with.
>>
>> Has anyone seen this before. It seems like a vulnerability that has not
> yet
>> been addressed. However, maybe its just a vulnerability in DNS in
> general.
>> Any thoughts?
>>
>>
>
>
Yeah, I know. I wish I didn't clear it before taking a look at its
contents. If it happens again, I definately will take a look at it.
"Roger Abell" <mvpNoSpam@asu.edu> wrote in message
news:uv1%231GD6EHA.3828@TK2MSFTNGP09.phx.gbl...
> Next time around we really need to get info on what is in the cache,
> as obviously that is the source of propagation to your clients.
> --
> Roger
>
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>>
>> I contacted Microsoft and they had no idea what might be happening. They
>> thought that one of the root servers may have been compromised. I find
> this
>> hard to believe however. I found this link on the web:
>> http://www.atsnn.com/story/105049.html which describes a similar
> situation.
>> It appears that this has occured to others over the last few weeks, and
> any
>> root server problems probably would have been dealt with.
>>
>> Has anyone seen this before. It seems like a vulnerability that has not
> yet
>> been addressed. However, maybe its just a vulnerability in DNS in
> general.
>> Any thoughts?
>>
>>
>
>
Archived from groups: microsoft.public.win2000.dns (More info?)
In news:TXZxd.14265$Ig6.4458@fe10.lga,
Chris <chris23@ic-2000.com> made a post then I commented below
:: The cache pollution is box was checked (and it was before this
:: happened). I don't have a forwarder set, and I double checked the
:: root hints and they match another list I found online.
IIRC, the last time I saw this happening, a forwarder took care of it. There
was another issue where a spyware piece was constantly querying
doubleclick.net's nameservers, which are misconfigured, and causing Event ID
5504 errors. When the admin blocked all of their nameservers at the
firewall, the errors stopped.
What Event ID are you getting?
--
Regards,
Ace
G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
In news:TXZxd.14265$Ig6.4458@fe10.lga,
Chris <chris23@ic-2000.com> made a post then I commented below
:: The cache pollution is box was checked (and it was before this
:: happened). I don't have a forwarder set, and I double checked the
:: root hints and they match another list I found online.
IIRC, the last time I saw this happening, a forwarder took care of it. There
was another issue where a spyware piece was constantly querying
doubleclick.net's nameservers, which are misconfigured, and causing Event ID
5504 errors. When the admin blocked all of their nameservers at the
firewall, the errors stopped.
What Event ID are you getting?
--
Regards,
Ace
G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Related ressources:
- ForumWindows 7 Unidentified Network Terror Returns [Help meeeee]
- ForumMajor problems roaming between access points
- ForumAtheros ar5007 802 11 b/g wifi adapter
- ForumNAT is not a mechanism for securing a network.. but.. HELP!
- ForumIs my network secure enough now?!?
- ForumLosing DNS lookup, without losing ISP Connection
- ForumShare internet access between two separate networks
- ForumWin2K3 DNS Error 5504
- ForumReverse DNS and mail server
- ForumCreating zone on my 'internal' DNS servers to allow unique..
- ForumF7D2301 Belkin Router admin lock out
- ForumParallel and com ports not appearing in device manager
- ForumPrivate address registered in DNS
- ForumRandom DNS Wierdness on 2000 DC
- ForumDNS and remote Exchange via RPC
- More resources
!
