DNS cache corruption

Archived from groups: microsoft.public.win2000.dns (More info?)

I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.

The second worry I have is that this issue started first thing the morning
of April fools day.

Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.

Kevin Nickell
4 answers Last reply
More about cache corruption
  1. Archived from groups: microsoft.public.win2000.dns (More info?)

    "Microsoft support" <knickell@yahoo_.com> wrote:

    >I have a horribly confusing problem. Have a client who three times in the
    >last week has had every entry in their DNS cache on a windows 2000 server
    >set to the same IP address. The address, all three times, resolves to
    >www.jothan.com. Every website not resolved directly by the internal DNS
    >server redirects to jothan.com. The reason I worry about this is that this
    >is a site run by Jothan Frakes who is a DNS TLD expert influential with
    >ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
    >every entry back to the ip of www.jothan.com. If I restart the DNS server,
    >then clear the cache it is fine for a day or so.
    >
    >The second worry I have is that this issue started first thing the morning
    >of April fools day.
    >
    >Anyone with any idea whatsoever? They are using root hints and we switched
    >to forwarders, just in case.
    >
    >Kevin Nickell
    >

    Have you enabled DNS Cache Pollution protection? In the DNS MMC,
    right click on the server name, Properties, Advanced, "Secure Against
    DNS Cache Pollution".

    Sincerely,
    Brian S. Bergin
    Terabyte Computers, Inc.

    Please post replies here so everyone may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
  2. Archived from groups: microsoft.public.win2000.dns (More info?)

    You might be interested in the following link:
    http://isc.sans.org/presentations/dnspoisoning.php

    SANS raised their warning level due this problem today, 5 April, 05.

    Only seems to effect windows DNS servers.

    B

    Kevin Nickell wrote:
    > Thanks. I will try that. Microsoft also has us running a bunch of
    kernel
    > scanners to see if the local machine has been comprimised. No
    Spyware,
    > Adware or viral activity is found. Nothing in any task scheduler.
    No
    > unknown processes or services running....
    >
    > Wierd.
    >
    > Kevin
    >
    > "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
    message
    > news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
    > > "Microsoft support" <knickell@yahoo_.com> wrote:
    > >
    > >>I have a horribly confusing problem. Have a client who three times
    in the
    > >>last week has had every entry in their DNS cache on a windows 2000
    server
    > >>set to the same IP address. The address, all three times, resolves
    to
    > >>www.jothan.com. Every website not resolved directly by the
    internal DNS
    > >>server redirects to jothan.com. The reason I worry about this is
    that
    > >>this
    > >>is a site run by Jothan Frakes who is a DNS TLD expert influential
    with
    > >>ICANN. If I simply clear the DNS cache, it is not fixed and the
    cache
    > >>sets
    > >>every entry back to the ip of www.jothan.com. If I restart the DNS

    > >>server,
    > >>then clear the cache it is fine for a day or so.
    > >>
    > >>The second worry I have is that this issue started first thing the
    morning
    > >>of April fools day.
    > >>
    > >>Anyone with any idea whatsoever? They are using root hints and we
    > >>switched
    > >>to forwarders, just in case.
    > >>
    > >>Kevin Nickell
    > >>
    > >
    > > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
    > > right click on the server name, Properties, Advanced, "Secure
    Against
    > > DNS Cache Pollution".
    > >
    > > Sincerely,
    > > Brian S. Bergin
    > > Terabyte Computers, Inc.
    > >
    > > Please post replies here so everyone may benefit.
    > >
    > > NOTICE: Use of this information is contingent upon acceptance of
    Paragraph
    > > 17 of Terabyte's Terms and conditions located at
    > > http://terabyte.net/terms.htm#postings.
  3. Archived from groups: microsoft.public.win2000.dns (More info?)

    Thanks. I will try that. Microsoft also has us running a bunch of kernel
    scanners to see if the local machine has been comprimised. No Spyware,
    Adware or viral activity is found. Nothing in any task scheduler. No
    unknown processes or services running....

    Wierd.

    Kevin

    "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in message
    news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
    > "Microsoft support" <knickell@yahoo_.com> wrote:
    >
    >>I have a horribly confusing problem. Have a client who three times in the
    >>last week has had every entry in their DNS cache on a windows 2000 server
    >>set to the same IP address. The address, all three times, resolves to
    >>www.jothan.com. Every website not resolved directly by the internal DNS
    >>server redirects to jothan.com. The reason I worry about this is that
    >>this
    >>is a site run by Jothan Frakes who is a DNS TLD expert influential with
    >>ICANN. If I simply clear the DNS cache, it is not fixed and the cache
    >>sets
    >>every entry back to the ip of www.jothan.com. If I restart the DNS
    >>server,
    >>then clear the cache it is fine for a day or so.
    >>
    >>The second worry I have is that this issue started first thing the morning
    >>of April fools day.
    >>
    >>Anyone with any idea whatsoever? They are using root hints and we
    >>switched
    >>to forwarders, just in case.
    >>
    >>Kevin Nickell
    >>
    >
    > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
    > right click on the server name, Properties, Advanced, "Secure Against
    > DNS Cache Pollution".
    >
    > Sincerely,
    > Brian S. Bergin
    > Terabyte Computers, Inc.
    >
    > Please post replies here so everyone may benefit.
    >
    > NOTICE: Use of this information is contingent upon acceptance of Paragraph
    > 17 of Terabyte's Terms and conditions located at
    > http://terabyte.net/terms.htm#postings.
  4. Archived from groups: microsoft.public.win2000.dns (More info?)

    An added aside. I have conversed with Jothan Frakes since and it is obvious
    he is not behind this attack, just an unfortunate victim.
    <bntjnk@yahoo.com> wrote in message
    news:1112740107.164401.77630@o13g2000cwo.googlegroups.com...
    > You might be interested in the following link:
    > http://isc.sans.org/presentations/dnspoisoning.php
    >
    > SANS raised their warning level due this problem today, 5 April, 05.
    >
    > Only seems to effect windows DNS servers.
    >
    > B
    >
    > Kevin Nickell wrote:
    >> Thanks. I will try that. Microsoft also has us running a bunch of
    > kernel
    >> scanners to see if the local machine has been comprimised. No
    > Spyware,
    >> Adware or viral activity is found. Nothing in any task scheduler.
    > No
    >> unknown processes or services running....
    >>
    >> Wierd.
    >>
    >> Kevin
    >>
    >> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
    > message
    >> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
    >> > "Microsoft support" <knickell@yahoo_.com> wrote:
    >> >
    >> >>I have a horribly confusing problem. Have a client who three times
    > in the
    >> >>last week has had every entry in their DNS cache on a windows 2000
    > server
    >> >>set to the same IP address. The address, all three times, resolves
    > to
    >> >>www.jothan.com. Every website not resolved directly by the
    > internal DNS
    >> >>server redirects to jothan.com. The reason I worry about this is
    > that
    >> >>this
    >> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
    > with
    >> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
    > cache
    >> >>sets
    >> >>every entry back to the ip of www.jothan.com. If I restart the DNS
    >
    >> >>server,
    >> >>then clear the cache it is fine for a day or so.
    >> >>
    >> >>The second worry I have is that this issue started first thing the
    > morning
    >> >>of April fools day.
    >> >>
    >> >>Anyone with any idea whatsoever? They are using root hints and we
    >> >>switched
    >> >>to forwarders, just in case.
    >> >>
    >> >>Kevin Nickell
    >> >>
    >> >
    >> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
    >> > right click on the server name, Properties, Advanced, "Secure
    > Against
    >> > DNS Cache Pollution".
    >> >
    >> > Sincerely,
    >> > Brian S. Bergin
    >> > Terabyte Computers, Inc.
    >> >
    >> > Please post replies here so everyone may benefit.
    >> >
    >> > NOTICE: Use of this information is contingent upon acceptance of
    > Paragraph
    >> > 17 of Terabyte's Terms and conditions located at
    >> > http://terabyte.net/terms.htm#postings.
    >
Ask a new question

Read More

Cache DNS Windows