Sign in with
Sign up | Sign in
Your question

potential DNS security issue

Last response: in Windows 2000/NT
Share
December 21, 2004 3:53:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I posted this to the dns group, but thought it might be appropriate here
too. I think this is a security issue as well:

This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).

I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.

Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
Anonymous
a b 8 Security
December 21, 2004 10:16:43 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That is scary. Did you clear the client cache via ipconfig /flushdns or did
you clear the dns server cache via the dns Management Console where you have
to find the cached lookups folder, right click and select clear cache? You
have to select view-advanced to see the cached folder. Also when you use
nslookup on a computer doing that do all names [Yahoo.com, Microsoft.com,
etc] resolve to the same IP addresses. I am wondering if it is a dns client
or dns server problem. --- Steve


"Chris" <chris23@ic-2000.com> wrote in message
news:luZxd.14261$n26.1929@fe10.lga...
>I posted this to the dns group, but thought it might be appropriate here
>too. I think this is a security issue as well:
>
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
> this hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
> situation. It appears that this has occured to others over the last few
> weeks, and any root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
> yet been addressed. However, maybe its just a vulnerability in DNS in
> general. Any thoughts?
>
December 21, 2004 10:16:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It was definately the server. I tried the ipconfig /flushdns first and that
didn't fix anything. It only cleared up after I cleared the cache in the
management console. It was happening on all clients using this dns server
as well, of course. Everything resolved to same IP except zones this server
serves.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:vE_xd.302355$R05.85785@attbi_s53...
> That is scary. Did you clear the client cache via ipconfig /flushdns or
> did you clear the dns server cache via the dns Management Console where
> you have to find the cached lookups folder, right click and select clear
> cache? You have to select view-advanced to see the cached folder. Also
> when you use nslookup on a computer doing that do all names [Yahoo.com,
> Microsoft.com, etc] resolve to the same IP addresses. I am wondering if it
> is a dns client or dns server problem. --- Steve
>
>
> "Chris" <chris23@ic-2000.com> wrote in message
> news:luZxd.14261$n26.1929@fe10.lga...
>>I posted this to the dns group, but thought it might be appropriate here
>>too. I think this is a security issue as well:
>>
>> This morning on of our DNS servers started responding to all requests
>> with the same IP address. The only exceptions were sites that the server
>> was authoritative for. I fixed it by clearing the cache, but I have to
>> wonder how this is happening. This server runs Windows 2000 dns and has
>> the "secure cache against pollution" option set (and I confirmed it in
>> the registry).
>>
>> I contacted Microsoft and they had no idea what might be happening. They
>> thought that one of the root servers may have been compromised. I find
>> this hard to believe however. I found this link on the web:
>> http://www.atsnn.com/story/105049.html which describes a similar
>> situation. It appears that this has occured to others over the last few
>> weeks, and any root server problems probably would have been dealt with.
>>
>> Has anyone seen this before. It seems like a vulnerability that has not
>> yet been addressed. However, maybe its just a vulnerability in DNS in
>> general. Any thoughts?
>>
>
>
Related resources
Anonymous
a b 8 Security
December 21, 2004 11:07:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. Well I don't know the answer to what is going on and you said you have
secure cache against pollution already selected. What might be interesting
is to configure your internals dns server to either use root hints only or
forward to your ISP dns server only to see if it makes a difference which
one you use to resolve your internet names. If your ISP has multiple dns
servers, try using a different dns server than you are now. --- Steve


"Chris" <chris23@ic-2000.com> wrote in message
news:8S_xd.14270$6N6.4605@fe10.lga...
> It was definately the server. I tried the ipconfig /flushdns first and
> that didn't fix anything. It only cleared up after I cleared the cache in
> the management console. It was happening on all clients using this dns
> server as well, of course. Everything resolved to same IP except zones
> this server serves.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:vE_xd.302355$R05.85785@attbi_s53...
>> That is scary. Did you clear the client cache via ipconfig /flushdns or
>> did you clear the dns server cache via the dns Management Console where
>> you have to find the cached lookups folder, right click and select clear
>> cache? You have to select view-advanced to see the cached folder. Also
>> when you use nslookup on a computer doing that do all names [Yahoo.com,
>> Microsoft.com, etc] resolve to the same IP addresses. I am wondering if
>> it is a dns client or dns server problem. --- Steve
>>
>>
>> "Chris" <chris23@ic-2000.com> wrote in message
>> news:luZxd.14261$n26.1929@fe10.lga...
>>>I posted this to the dns group, but thought it might be appropriate here
>>>too. I think this is a security issue as well:
>>>
>>> This morning on of our DNS servers started responding to all requests
>>> with the same IP address. The only exceptions were sites that the
>>> server was authoritative for. I fixed it by clearing the cache, but I
>>> have to wonder how this is happening. This server runs Windows 2000 dns
>>> and has the "secure cache against pollution" option set (and I confirmed
>>> it in the registry).
>>>
>>> I contacted Microsoft and they had no idea what might be happening.
>>> They thought that one of the root servers may have been compromised. I
>>> find this hard to believe however. I found this link on the web:
>>> http://www.atsnn.com/story/105049.html which describes a similar
>>> situation. It appears that this has occured to others over the last few
>>> weeks, and any root server problems probably would have been dealt with.
>>>
>>> Has anyone seen this before. It seems like a vulnerability that has not
>>> yet been addressed. However, maybe its just a vulnerability in DNS in
>>> general. Any thoughts?
>>>
>>
>>
>
>
December 21, 2004 11:07:38 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Well, its working fine now that I cleared the DNS server cache in the
managment console. The root hints are correct I'm thinking of forwarding
requests to my unix box because this has only happened to the windows 2000
server. But my concern is that I have no idea how this kind of problem
happened in the first place...

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:D o%xd.235585$V41.180494@attbi_s52...
> OK. Well I don't know the answer to what is going on and you said you have
> secure cache against pollution already selected. What might be
> interesting is to configure your internals dns server to either use root
> hints only or forward to your ISP dns server only to see if it makes a
> difference which one you use to resolve your internet names. If your ISP
> has multiple dns servers, try using a different dns server than you are
> now. --- Steve
>
>
> "Chris" <chris23@ic-2000.com> wrote in message
> news:8S_xd.14270$6N6.4605@fe10.lga...
>> It was definately the server. I tried the ipconfig /flushdns first and
>> that didn't fix anything. It only cleared up after I cleared the cache
>> in the management console. It was happening on all clients using this
>> dns server as well, of course. Everything resolved to same IP except
>> zones this server serves.
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:vE_xd.302355$R05.85785@attbi_s53...
>>> That is scary. Did you clear the client cache via ipconfig /flushdns or
>>> did you clear the dns server cache via the dns Management Console where
>>> you have to find the cached lookups folder, right click and select clear
>>> cache? You have to select view-advanced to see the cached folder. Also
>>> when you use nslookup on a computer doing that do all names [Yahoo.com,
>>> Microsoft.com, etc] resolve to the same IP addresses. I am wondering if
>>> it is a dns client or dns server problem. --- Steve
>>>
>>>
>>> "Chris" <chris23@ic-2000.com> wrote in message
>>> news:luZxd.14261$n26.1929@fe10.lga...
>>>>I posted this to the dns group, but thought it might be appropriate here
>>>>too. I think this is a security issue as well:
>>>>
>>>> This morning on of our DNS servers started responding to all requests
>>>> with the same IP address. The only exceptions were sites that the
>>>> server was authoritative for. I fixed it by clearing the cache, but I
>>>> have to wonder how this is happening. This server runs Windows 2000
>>>> dns and has the "secure cache against pollution" option set (and I
>>>> confirmed it in the registry).
>>>>
>>>> I contacted Microsoft and they had no idea what might be happening.
>>>> They thought that one of the root servers may have been compromised. I
>>>> find this hard to believe however. I found this link on the web:
>>>> http://www.atsnn.com/story/105049.html which describes a similar
>>>> situation. It appears that this has occured to others over the last few
>>>> weeks, and any root server problems probably would have been dealt
>>>> with.
>>>>
>>>> Has anyone seen this before. It seems like a vulnerability that has
>>>> not yet been addressed. However, maybe its just a vulnerability in DNS
>>>> in general. Any thoughts?
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
a b 8 Security
December 22, 2004 10:19:27 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Before you cleared the DNS server cache did you examine it ?
If so what was there ?? (just enable the adv view to get the cache
node listed in the DNS mgmt tree)

--
Roger

"Chris" <chris23@ic-2000.com> wrote in message
news:ZE%xd.14277$i77.9646@fe10.lga...
> Well, its working fine now that I cleared the DNS server cache in the
> managment console. The root hints are correct I'm thinking of forwarding
> requests to my unix box because this has only happened to the windows 2000
> server. But my concern is that I have no idea how this kind of problem
> happened in the first place...
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:D o%xd.235585$V41.180494@attbi_s52...
> > OK. Well I don't know the answer to what is going on and you said you
have
> > secure cache against pollution already selected. What might be
> > interesting is to configure your internals dns server to either use root
> > hints only or forward to your ISP dns server only to see if it makes a
> > difference which one you use to resolve your internet names. If your ISP
> > has multiple dns servers, try using a different dns server than you are
> > now. --- Steve
> >
> >
> > "Chris" <chris23@ic-2000.com> wrote in message
> > news:8S_xd.14270$6N6.4605@fe10.lga...
> >> It was definately the server. I tried the ipconfig /flushdns first and
> >> that didn't fix anything. It only cleared up after I cleared the cache
> >> in the management console. It was happening on all clients using this
> >> dns server as well, of course. Everything resolved to same IP except
> >> zones this server serves.
> >>
> >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> >> news:vE_xd.302355$R05.85785@attbi_s53...
> >>> That is scary. Did you clear the client cache via ipconfig /flushdns
or
> >>> did you clear the dns server cache via the dns Management Console
where
> >>> you have to find the cached lookups folder, right click and select
clear
> >>> cache? You have to select view-advanced to see the cached folder. Also
> >>> when you use nslookup on a computer doing that do all names
[Yahoo.com,
> >>> Microsoft.com, etc] resolve to the same IP addresses. I am wondering
if
> >>> it is a dns client or dns server problem. --- Steve
> >>>
> >>>
> >>> "Chris" <chris23@ic-2000.com> wrote in message
> >>> news:luZxd.14261$n26.1929@fe10.lga...
> >>>>I posted this to the dns group, but thought it might be appropriate
here
> >>>>too. I think this is a security issue as well:
> >>>>
> >>>> This morning on of our DNS servers started responding to all requests
> >>>> with the same IP address. The only exceptions were sites that the
> >>>> server was authoritative for. I fixed it by clearing the cache, but
I
> >>>> have to wonder how this is happening. This server runs Windows 2000
> >>>> dns and has the "secure cache against pollution" option set (and I
> >>>> confirmed it in the registry).
> >>>>
> >>>> I contacted Microsoft and they had no idea what might be happening.
> >>>> They thought that one of the root servers may have been compromised.
I
> >>>> find this hard to believe however. I found this link on the web:
> >>>> http://www.atsnn.com/story/105049.html which describes a similar
> >>>> situation. It appears that this has occured to others over the last
few
> >>>> weeks, and any root server problems probably would have been dealt
> >>>> with.
> >>>>
> >>>> Has anyone seen this before. It seems like a vulnerability that has
> >>>> not yet been addressed. However, maybe its just a vulnerability in
DNS
> >>>> in general. Any thoughts?
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>
Anonymous
a b 8 Security
December 29, 2004 1:26:43 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In the TCP/IP configuration settings of these Windows DNS servers, what
addresses did you populate them with? ISP address? Their own address?
Other DNS server address?





"Chris" <chris23@ic-2000.com> wrote in message
news:luZxd.14261$n26.1929@fe10.lga...
>I posted this to the dns group, but thought it might be appropriate here
>too. I think this is a security issue as well:
>
> This morning on of our DNS servers started responding to all requests with
> the same IP address. The only exceptions were sites that the server was
> authoritative for. I fixed it by clearing the cache, but I have to wonder
> how this is happening. This server runs Windows 2000 dns and has the
> "secure cache against pollution" option set (and I confirmed it in the
> registry).
>
> I contacted Microsoft and they had no idea what might be happening. They
> thought that one of the root servers may have been compromised. I find
> this hard to believe however. I found this link on the web:
> http://www.atsnn.com/story/105049.html which describes a similar
> situation. It appears that this has occured to others over the last few
> weeks, and any root server problems probably would have been dealt with.
>
> Has anyone seen this before. It seems like a vulnerability that has not
> yet been addressed. However, maybe its just a vulnerability in DNS in
> general. Any thoughts?
>
!