Sign in with
Sign up | Sign in
Your question

DNS spoofing - security problems...

Last response: in Windows 2000/NT
Share
December 21, 2004 3:50:42 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).

I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.

Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
Anonymous
December 21, 2004 3:50:43 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).

One wonders:

1) Do you have block Cache Polution (in Advance) enabled

2) Do you know what your Forwarder (ISP or whatever) if
any is doing?

3) How do your Root Hints look?


> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?


--
Herb Martin


>
>
December 21, 2004 4:25:24 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

The cache pollution is box was checked (and it was before this happened). I
don't have a forwarder set, and I double checked the root hints and they
match another list I found online.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>
> One wonders:
>
> 1) Do you have block Cache Polution (in Advance) enabled
>
> 2) Do you know what your Forwarder (ISP or whatever) if
> any is doing?
>
> 3) How do your Root Hints look?
>
>
Related resources
Anonymous
December 21, 2004 6:23:46 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Chris" <chris23@ic-2000.com> wrote in message
news:TXZxd.14265$Ig6.4458@fe10.lga...
> The cache pollution is box was checked (and it was before this happened).
I
> don't have a forwarder set, and I double checked the root hints and they
> match another list I found online.
>

Darn. I was hoping it was going to be easy.

How about monitoring outgoing requests using
debug logging (in the DNS server properties) and
try to get an idea of where these addresses are
originating....

--
Herb Martin


> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eQ8RTh45EHA.824@TK2MSFTNGP11.phx.gbl...
> > "Chris" <chris23@ic-2000.com> wrote in message
> > news:irZxd.14260$8V5.9878@fe10.lga...
> >> This morning on of our DNS servers started responding to all requests
> >> with
> >> the same IP address. The only exceptions were sites that the server
was
> >> authoritative for. I fixed it by clearing the cache, but I have to
> >> wonder
> >> how this is happening. This server runs Windows 2000 dns and has the
> >> "secure cache against pollution" option set (and I confirmed it in the
> >> registry).
> >
> > One wonders:
> >
> > 1) Do you have block Cache Polution (in Advance) enabled
> >
> > 2) Do you know what your Forwarder (ISP or whatever) if
> > any is doing?
> >
> > 3) How do your Root Hints look?
> >
> >
>
>
Anonymous
December 22, 2004 10:25:24 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Next time around we really need to get info on what is in the cache,
as obviously that is the source of propagation to your clients.
--
Roger

"Chris" <chris23@ic-2000.com> wrote in message
news:irZxd.14260$8V5.9878@fe10.lga...
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
this
> hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
situation.
> It appears that this has occured to others over the last few weeks, and
any
> root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
yet
> been addressed. However, maybe its just a vulnerability in DNS in
general.
> Any thoughts?
>
>
December 23, 2004 1:17:51 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Yeah, I know. I wish I didn't clear it before taking a look at its
contents. If it happens again, I definately will take a look at it.

"Roger Abell" <mvpNoSpam@asu.edu> wrote in message
news:uv1%231GD6EHA.3828@TK2MSFTNGP09.phx.gbl...
> Next time around we really need to get info on what is in the cache,
> as obviously that is the source of propagation to your clients.
> --
> Roger
>
> "Chris" <chris23@ic-2000.com> wrote in message
> news:irZxd.14260$8V5.9878@fe10.lga...
>> This morning on of our DNS servers started responding to all requests
>> with
>> the same IP address. The only exceptions were sites that the server was
>> authoritative for. I fixed it by clearing the cache, but I have to
>> wonder
>> how this is happening. This server runs Windows 2000 dns and has the
>> "secure cache against pollution" option set (and I confirmed it in the
>> registry).
>>
>> I contacted Microsoft and they had no idea what might be happening. They
>> thought that one of the root servers may have been compromised. I find
> this
>> hard to believe however. I found this link on the web:
>> http://www.atsnn.com/story/105049.html which describes a similar
> situation.
>> It appears that this has occured to others over the last few weeks, and
> any
>> root server problems probably would have been dealt with.
>>
>> Has anyone seen this before. It seems like a vulnerability that has not
> yet
>> been addressed. However, maybe its just a vulnerability in DNS in
> general.
>> Any thoughts?
>>
>>
>
>
Anonymous
December 25, 2004 5:02:04 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:TXZxd.14265$Ig6.4458@fe10.lga,
Chris <chris23@ic-2000.com> made a post then I commented below
:: The cache pollution is box was checked (and it was before this
:: happened). I don't have a forwarder set, and I double checked the
:: root hints and they match another list I found online.

IIRC, the last time I saw this happening, a forwarder took care of it. There
was another issue where a spyware piece was constantly querying
doubleclick.net's nameservers, which are misconfigured, and causing Event ID
5504 errors. When the admin blocked all of their nameservers at the
firewall, the errors stopped.

What Event ID are you getting?


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
!