DNS cache corruption
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.dns (More info?)
I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.
The second worry I have is that this issue started first thing the morning
of April fools day.
Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.
Kevin Nickell
I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.
The second worry I have is that this issue started first thing the morning
of April fools day.
Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.
Kevin Nickell
More about : dns cache corruption
Archived from groups: microsoft.public.win2000.dns (More info?)
"Microsoft support" <knickell@yahoo_.com> wrote:
>I have a horribly confusing problem. Have a client who three times in the
>last week has had every entry in their DNS cache on a windows 2000 server
>set to the same IP address. The address, all three times, resolves to
>www.jothan.com. Every website not resolved directly by the internal DNS
>server redirects to jothan.com. The reason I worry about this is that this
>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
>every entry back to the ip of www.jothan.com. If I restart the DNS server,
>then clear the cache it is fine for a day or so.
>
>The second worry I have is that this issue started first thing the morning
>of April fools day.
>
>Anyone with any idea whatsoever? They are using root hints and we switched
>to forwarders, just in case.
>
>Kevin Nickell
>
Have you enabled DNS Cache Pollution protection? In the DNS MMC,
right click on the server name, Properties, Advanced, "Secure Against
DNS Cache Pollution".
Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
Please post replies here so everyone may benefit.
NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
"Microsoft support" <knickell@yahoo_.com> wrote:
>I have a horribly confusing problem. Have a client who three times in the
>last week has had every entry in their DNS cache on a windows 2000 server
>set to the same IP address. The address, all three times, resolves to
>www.jothan.com. Every website not resolved directly by the internal DNS
>server redirects to jothan.com. The reason I worry about this is that this
>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
>every entry back to the ip of www.jothan.com. If I restart the DNS server,
>then clear the cache it is fine for a day or so.
>
>The second worry I have is that this issue started first thing the morning
>of April fools day.
>
>Anyone with any idea whatsoever? They are using root hints and we switched
>to forwarders, just in case.
>
>Kevin Nickell
>
Have you enabled DNS Cache Pollution protection? In the DNS MMC,
right click on the server name, Properties, Advanced, "Secure Against
DNS Cache Pollution".
Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.
Please post replies here so everyone may benefit.
NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
Archived from groups: microsoft.public.win2000.dns (More info?)
You might be interested in the following link:
http://isc.sans.org/presentations/dnspoisoning.php
SANS raised their warning level due this problem today, 5 April, 05.
Only seems to effect windows DNS servers.
B
Kevin Nickell wrote:
> Thanks. I will try that. Microsoft also has us running a bunch of
kernel
> scanners to see if the local machine has been comprimised. No
Spyware,
> Adware or viral activity is found. Nothing in any task scheduler.
No
> unknown processes or services running....
>
> Wierd.
>
> Kevin
>
> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
message
> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> > "Microsoft support" <knickell@yahoo_.com> wrote:
> >
> >>I have a horribly confusing problem. Have a client who three times
in the
> >>last week has had every entry in their DNS cache on a windows 2000
server
> >>set to the same IP address. The address, all three times, resolves
to
> >>www.jothan.com. Every website not resolved directly by the
internal DNS
> >>server redirects to jothan.com. The reason I worry about this is
that
> >>this
> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
with
> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
cache
> >>sets
> >>every entry back to the ip of www.jothan.com. If I restart the DNS
> >>server,
> >>then clear the cache it is fine for a day or so.
> >>
> >>The second worry I have is that this issue started first thing the
morning
> >>of April fools day.
> >>
> >>Anyone with any idea whatsoever? They are using root hints and we
> >>switched
> >>to forwarders, just in case.
> >>
> >>Kevin Nickell
> >>
> >
> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> > right click on the server name, Properties, Advanced, "Secure
Against
> > DNS Cache Pollution".
> >
> > Sincerely,
> > Brian S. Bergin
> > Terabyte Computers, Inc.
> >
> > Please post replies here so everyone may benefit.
> >
> > NOTICE: Use of this information is contingent upon acceptance of
Paragraph
> > 17 of Terabyte's Terms and conditions located at
> > http://terabyte.net/terms.htm#postings.
You might be interested in the following link:
http://isc.sans.org/presentations/dnspoisoning.php
SANS raised their warning level due this problem today, 5 April, 05.
Only seems to effect windows DNS servers.
B
Kevin Nickell wrote:
> Thanks. I will try that. Microsoft also has us running a bunch of
kernel
> scanners to see if the local machine has been comprimised. No
Spyware,
> Adware or viral activity is found. Nothing in any task scheduler.
No
> unknown processes or services running....
>
> Wierd.
>
> Kevin
>
> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
message
> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> > "Microsoft support" <knickell@yahoo_.com> wrote:
> >
> >>I have a horribly confusing problem. Have a client who three times
in the
> >>last week has had every entry in their DNS cache on a windows 2000
server
> >>set to the same IP address. The address, all three times, resolves
to
> >>www.jothan.com. Every website not resolved directly by the
internal DNS
> >>server redirects to jothan.com. The reason I worry about this is
that
> >>this
> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
with
> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
cache
> >>sets
> >>every entry back to the ip of www.jothan.com. If I restart the DNS
> >>server,
> >>then clear the cache it is fine for a day or so.
> >>
> >>The second worry I have is that this issue started first thing the
morning
> >>of April fools day.
> >>
> >>Anyone with any idea whatsoever? They are using root hints and we
> >>switched
> >>to forwarders, just in case.
> >>
> >>Kevin Nickell
> >>
> >
> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> > right click on the server name, Properties, Advanced, "Secure
Against
> > DNS Cache Pollution".
> >
> > Sincerely,
> > Brian S. Bergin
> > Terabyte Computers, Inc.
> >
> > Please post replies here so everyone may benefit.
> >
> > NOTICE: Use of this information is contingent upon acceptance of
Paragraph
> > 17 of Terabyte's Terms and conditions located at
> > http://terabyte.net/terms.htm#postings.
Archived from groups: microsoft.public.win2000.dns (More info?)
Thanks. I will try that. Microsoft also has us running a bunch of kernel
scanners to see if the local machine has been comprimised. No Spyware,
Adware or viral activity is found. Nothing in any task scheduler. No
unknown processes or services running....
Wierd.
Kevin
"Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in message
news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> "Microsoft support" <knickell@yahoo_.com> wrote:
>
>>I have a horribly confusing problem. Have a client who three times in the
>>last week has had every entry in their DNS cache on a windows 2000 server
>>set to the same IP address. The address, all three times, resolves to
>>www.jothan.com. Every website not resolved directly by the internal DNS
>>server redirects to jothan.com. The reason I worry about this is that
>>this
>>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>>ICANN. If I simply clear the DNS cache, it is not fixed and the cache
>>sets
>>every entry back to the ip of www.jothan.com. If I restart the DNS
>>server,
>>then clear the cache it is fine for a day or so.
>>
>>The second worry I have is that this issue started first thing the morning
>>of April fools day.
>>
>>Anyone with any idea whatsoever? They are using root hints and we
>>switched
>>to forwarders, just in case.
>>
>>Kevin Nickell
>>
>
> Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> right click on the server name, Properties, Advanced, "Secure Against
> DNS Cache Pollution".
>
> Sincerely,
> Brian S. Bergin
> Terabyte Computers, Inc.
>
> Please post replies here so everyone may benefit.
>
> NOTICE: Use of this information is contingent upon acceptance of Paragraph
> 17 of Terabyte's Terms and conditions located at
> http://terabyte.net/terms.htm#postings.
Thanks. I will try that. Microsoft also has us running a bunch of kernel
scanners to see if the local machine has been comprimised. No Spyware,
Adware or viral activity is found. Nothing in any task scheduler. No
unknown processes or services running....
Wierd.
Kevin
"Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in message
news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> "Microsoft support" <knickell@yahoo_.com> wrote:
>
>>I have a horribly confusing problem. Have a client who three times in the
>>last week has had every entry in their DNS cache on a windows 2000 server
>>set to the same IP address. The address, all three times, resolves to
>>www.jothan.com. Every website not resolved directly by the internal DNS
>>server redirects to jothan.com. The reason I worry about this is that
>>this
>>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>>ICANN. If I simply clear the DNS cache, it is not fixed and the cache
>>sets
>>every entry back to the ip of www.jothan.com. If I restart the DNS
>>server,
>>then clear the cache it is fine for a day or so.
>>
>>The second worry I have is that this issue started first thing the morning
>>of April fools day.
>>
>>Anyone with any idea whatsoever? They are using root hints and we
>>switched
>>to forwarders, just in case.
>>
>>Kevin Nickell
>>
>
> Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> right click on the server name, Properties, Advanced, "Secure Against
> DNS Cache Pollution".
>
> Sincerely,
> Brian S. Bergin
> Terabyte Computers, Inc.
>
> Please post replies here so everyone may benefit.
>
> NOTICE: Use of this information is contingent upon acceptance of Paragraph
> 17 of Terabyte's Terms and conditions located at
> http://terabyte.net/terms.htm#postings.
Archived from groups: microsoft.public.win2000.dns (More info?)
An added aside. I have conversed with Jothan Frakes since and it is obvious
he is not behind this attack, just an unfortunate victim.
<bntjnk@yahoo.com> wrote in message
news:1112740107.164401.77630@o13g2000cwo.googlegroups.com...
> You might be interested in the following link:
> http://isc.sans.org/presentations/dnspoisoning.php
>
> SANS raised their warning level due this problem today, 5 April, 05.
>
> Only seems to effect windows DNS servers.
>
> B
>
> Kevin Nickell wrote:
>> Thanks. I will try that. Microsoft also has us running a bunch of
> kernel
>> scanners to see if the local machine has been comprimised. No
> Spyware,
>> Adware or viral activity is found. Nothing in any task scheduler.
> No
>> unknown processes or services running....
>>
>> Wierd.
>>
>> Kevin
>>
>> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
> message
>> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
>> > "Microsoft support" <knickell@yahoo_.com> wrote:
>> >
>> >>I have a horribly confusing problem. Have a client who three times
> in the
>> >>last week has had every entry in their DNS cache on a windows 2000
> server
>> >>set to the same IP address. The address, all three times, resolves
> to
>> >>www.jothan.com. Every website not resolved directly by the
> internal DNS
>> >>server redirects to jothan.com. The reason I worry about this is
> that
>> >>this
>> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
> with
>> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
> cache
>> >>sets
>> >>every entry back to the ip of www.jothan.com. If I restart the DNS
>
>> >>server,
>> >>then clear the cache it is fine for a day or so.
>> >>
>> >>The second worry I have is that this issue started first thing the
> morning
>> >>of April fools day.
>> >>
>> >>Anyone with any idea whatsoever? They are using root hints and we
>> >>switched
>> >>to forwarders, just in case.
>> >>
>> >>Kevin Nickell
>> >>
>> >
>> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
>> > right click on the server name, Properties, Advanced, "Secure
> Against
>> > DNS Cache Pollution".
>> >
>> > Sincerely,
>> > Brian S. Bergin
>> > Terabyte Computers, Inc.
>> >
>> > Please post replies here so everyone may benefit.
>> >
>> > NOTICE: Use of this information is contingent upon acceptance of
> Paragraph
>> > 17 of Terabyte's Terms and conditions located at
>> > http://terabyte.net/terms.htm#postings.
>
An added aside. I have conversed with Jothan Frakes since and it is obvious
he is not behind this attack, just an unfortunate victim.
<bntjnk@yahoo.com> wrote in message
news:1112740107.164401.77630@o13g2000cwo.googlegroups.com...
> You might be interested in the following link:
> http://isc.sans.org/presentations/dnspoisoning.php
>
> SANS raised their warning level due this problem today, 5 April, 05.
>
> Only seems to effect windows DNS servers.
>
> B
>
> Kevin Nickell wrote:
>> Thanks. I will try that. Microsoft also has us running a bunch of
> kernel
>> scanners to see if the local machine has been comprimised. No
> Spyware,
>> Adware or viral activity is found. Nothing in any task scheduler.
> No
>> unknown processes or services running....
>>
>> Wierd.
>>
>> Kevin
>>
>> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
> message
>> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
>> > "Microsoft support" <knickell@yahoo_.com> wrote:
>> >
>> >>I have a horribly confusing problem. Have a client who three times
> in the
>> >>last week has had every entry in their DNS cache on a windows 2000
> server
>> >>set to the same IP address. The address, all three times, resolves
> to
>> >>www.jothan.com. Every website not resolved directly by the
> internal DNS
>> >>server redirects to jothan.com. The reason I worry about this is
> that
>> >>this
>> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
> with
>> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
> cache
>> >>sets
>> >>every entry back to the ip of www.jothan.com. If I restart the DNS
>
>> >>server,
>> >>then clear the cache it is fine for a day or so.
>> >>
>> >>The second worry I have is that this issue started first thing the
> morning
>> >>of April fools day.
>> >>
>> >>Anyone with any idea whatsoever? They are using root hints and we
>> >>switched
>> >>to forwarders, just in case.
>> >>
>> >>Kevin Nickell
>> >>
>> >
>> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
>> > right click on the server name, Properties, Advanced, "Secure
> Against
>> > DNS Cache Pollution".
>> >
>> > Sincerely,
>> > Brian S. Bergin
>> > Terabyte Computers, Inc.
>> >
>> > Please post replies here so everyone may benefit.
>> >
>> > NOTICE: Use of this information is contingent upon acceptance of
> Paragraph
>> > 17 of Terabyte's Terms and conditions located at
>> > http://terabyte.net/terms.htm#postings.
>
Related ressources:
- ForumDNS Cache
- ForumWindows 7 DNS Issue - A doozie
- ForumWindows 2000 DNS problems
- ForumLocal machine - DNS issues?
- ForumDns cache poisoning attack alert HELP
- ForumClearing the dns cache
- ForumDNS cache help
- Forumapparent DNS resolution issie with Dell 8200 -I'm stuck
- ForumPotential DNS / routing issue
- Forummy friends comp has problem with dns cache
- ForumDNS Cache broken?
- ForumCannot clear DNS cache
- ForumDoes DNS cache forwarder lookups?
- ForumSecuring against DNS cache poisoning with AD integrated DNS
- Forumdns cache problem
- ForumDns Cache -- Thanks for any help
- ForumDNS Cache Issue
- ForumParallel and com ports not appearing in device manager
- ForumDns problem seeing the domain
- ForumDNS and NT-domain
- More resources
!
