Sign in with
Sign up | Sign in
Your question

DNS cache corruption

Last response: in Windows 2000/NT
Share
Anonymous
April 4, 2005 10:10:37 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.

The second worry I have is that this issue started first thing the morning
of April fools day.

Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.

Kevin Nickell

More about : dns cache corruption

Anonymous
April 5, 2005 11:48:06 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Microsoft support" <knickell@yahoo_.com> wrote:

>I have a horribly confusing problem. Have a client who three times in the
>last week has had every entry in their DNS cache on a windows 2000 server
>set to the same IP address. The address, all three times, resolves to
>www.jothan.com. Every website not resolved directly by the internal DNS
>server redirects to jothan.com. The reason I worry about this is that this
>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
>every entry back to the ip of www.jothan.com. If I restart the DNS server,
>then clear the cache it is fine for a day or so.
>
>The second worry I have is that this issue started first thing the morning
>of April fools day.
>
>Anyone with any idea whatsoever? They are using root hints and we switched
>to forwarders, just in case.
>
>Kevin Nickell
>

Have you enabled DNS Cache Pollution protection? In the DNS MMC,
right click on the server name, Properties, Advanced, "Secure Against
DNS Cache Pollution".

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.

Please post replies here so everyone may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
Anonymous
April 5, 2005 7:28:27 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

You might be interested in the following link:
http://isc.sans.org/presentations/dnspoisoning.php

SANS raised their warning level due this problem today, 5 April, 05.

Only seems to effect windows DNS servers.

B

Kevin Nickell wrote:
> Thanks. I will try that. Microsoft also has us running a bunch of
kernel
> scanners to see if the local machine has been comprimised. No
Spyware,
> Adware or viral activity is found. Nothing in any task scheduler.
No
> unknown processes or services running....
>
> Wierd.
>
> Kevin
>
> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
message
> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> > "Microsoft support" <knickell@yahoo_.com> wrote:
> >
> >>I have a horribly confusing problem. Have a client who three times
in the
> >>last week has had every entry in their DNS cache on a windows 2000
server
> >>set to the same IP address. The address, all three times, resolves
to
> >>www.jothan.com. Every website not resolved directly by the
internal DNS
> >>server redirects to jothan.com. The reason I worry about this is
that
> >>this
> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
with
> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
cache
> >>sets
> >>every entry back to the ip of www.jothan.com. If I restart the DNS

> >>server,
> >>then clear the cache it is fine for a day or so.
> >>
> >>The second worry I have is that this issue started first thing the
morning
> >>of April fools day.
> >>
> >>Anyone with any idea whatsoever? They are using root hints and we
> >>switched
> >>to forwarders, just in case.
> >>
> >>Kevin Nickell
> >>
> >
> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> > right click on the server name, Properties, Advanced, "Secure
Against
> > DNS Cache Pollution".
> >
> > Sincerely,
> > Brian S. Bergin
> > Terabyte Computers, Inc.
> >
> > Please post replies here so everyone may benefit.
> >
> > NOTICE: Use of this information is contingent upon acceptance of
Paragraph
> > 17 of Terabyte's Terms and conditions located at
> > http://terabyte.net/terms.htm#postings.
Related resources
Can't find your answer ? Ask !
Anonymous
April 5, 2005 8:15:13 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks. I will try that. Microsoft also has us running a bunch of kernel
scanners to see if the local machine has been comprimised. No Spyware,
Adware or viral activity is found. Nothing in any task scheduler. No
unknown processes or services running....

Wierd.

Kevin

"Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in message
news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
> "Microsoft support" <knickell@yahoo_.com> wrote:
>
>>I have a horribly confusing problem. Have a client who three times in the
>>last week has had every entry in their DNS cache on a windows 2000 server
>>set to the same IP address. The address, all three times, resolves to
>>www.jothan.com. Every website not resolved directly by the internal DNS
>>server redirects to jothan.com. The reason I worry about this is that
>>this
>>is a site run by Jothan Frakes who is a DNS TLD expert influential with
>>ICANN. If I simply clear the DNS cache, it is not fixed and the cache
>>sets
>>every entry back to the ip of www.jothan.com. If I restart the DNS
>>server,
>>then clear the cache it is fine for a day or so.
>>
>>The second worry I have is that this issue started first thing the morning
>>of April fools day.
>>
>>Anyone with any idea whatsoever? They are using root hints and we
>>switched
>>to forwarders, just in case.
>>
>>Kevin Nickell
>>
>
> Have you enabled DNS Cache Pollution protection? In the DNS MMC,
> right click on the server name, Properties, Advanced, "Secure Against
> DNS Cache Pollution".
>
> Sincerely,
> Brian S. Bergin
> Terabyte Computers, Inc.
>
> Please post replies here so everyone may benefit.
>
> NOTICE: Use of this information is contingent upon acceptance of Paragraph
> 17 of Terabyte's Terms and conditions located at
> http://terabyte.net/terms.htm#postings.
Anonymous
April 22, 2005 7:45:33 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

An added aside. I have conversed with Jothan Frakes since and it is obvious
he is not behind this attack, just an unfortunate victim.
<bntjnk@yahoo.com> wrote in message
news:1112740107.164401.77630@o13g2000cwo.googlegroups.com...
> You might be interested in the following link:
> http://isc.sans.org/presentations/dnspoisoning.php
>
> SANS raised their warning level due this problem today, 5 April, 05.
>
> Only seems to effect windows DNS servers.
>
> B
>
> Kevin Nickell wrote:
>> Thanks. I will try that. Microsoft also has us running a bunch of
> kernel
>> scanners to see if the local machine has been comprimised. No
> Spyware,
>> Adware or viral activity is found. Nothing in any task scheduler.
> No
>> unknown processes or services running....
>>
>> Wierd.
>>
>> Kevin
>>
>> "Brian S. Bergin" <net.terabyte@mspublicnntp.reverse> wrote in
> message
>> news:aku451tkceg2eroef6hte8clvtkgelaimc@4ax.com...
>> > "Microsoft support" <knickell@yahoo_.com> wrote:
>> >
>> >>I have a horribly confusing problem. Have a client who three times
> in the
>> >>last week has had every entry in their DNS cache on a windows 2000
> server
>> >>set to the same IP address. The address, all three times, resolves
> to
>> >>www.jothan.com. Every website not resolved directly by the
> internal DNS
>> >>server redirects to jothan.com. The reason I worry about this is
> that
>> >>this
>> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
> with
>> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
> cache
>> >>sets
>> >>every entry back to the ip of www.jothan.com. If I restart the DNS
>
>> >>server,
>> >>then clear the cache it is fine for a day or so.
>> >>
>> >>The second worry I have is that this issue started first thing the
> morning
>> >>of April fools day.
>> >>
>> >>Anyone with any idea whatsoever? They are using root hints and we
>> >>switched
>> >>to forwarders, just in case.
>> >>
>> >>Kevin Nickell
>> >>
>> >
>> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
>> > right click on the server name, Properties, Advanced, "Secure
> Against
>> > DNS Cache Pollution".
>> >
>> > Sincerely,
>> > Brian S. Bergin
>> > Terabyte Computers, Inc.
>> >
>> > Please post replies here so everyone may benefit.
>> >
>> > NOTICE: Use of this information is contingent upon acceptance of
> Paragraph
>> > 17 of Terabyte's Terms and conditions located at
>> > http://terabyte.net/terms.htm#postings.
>
!