Data mining from a nameserver?

  • Thread starter Thread starter Phil
  • Start date Start date
P

Phil

If a Win2K server is running a public DNS server and has a firewall
permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
tell if unauthorised access is getting a list of domain names? e.g.
I've heard of http-tunnelling. Does the DNS server handle its own
temp logon like iusr_servername? The firewall logs are showing
outbound packets blocked to certain name servers from Winlogon
which doesn't have internet access as there are no remote servers.
Are there any other programs or services that should not have either
direct internet access or be able to access the internet via another
program or open process? I could do with some guidance because I
think a spammer has obtained info. Thanks, Phil
 
Phil said:
If a Win2K server is running a public DNS server and has a firewall
permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
tell if unauthorised access is getting a list of domain names? e.g.
I've heard of http-tunnelling. Does the DNS server handle its own
temp logon like iusr_servername? The firewall logs are showing
outbound packets blocked to certain name servers from Winlogon
which doesn't have internet access as there are no remote servers.
Are there any other programs or services that should not have either
direct internet access or be able to access the internet via another
program or open process? I could do with some guidance because I
think a spammer has obtained info. Thanks, Phil
Click to expand...

I may be arguing symantics, but ...
unauthorised access is getting a list of domain names?

It is a public DNS server. That means if anybody wants to probe it for all
the machine names in your domain, they can. By making it public, you've
"authorized" access to everybody.

DNS does not require a login in order for someone to query the server. It is
a "read only" service. No need to fear.

Are those blocked outbound packets perhaps on Port 135-139? If so, it is the
result of several Windows services being successfully blocked from leaking
out to the Internet (just as they should be). It is all normal chatter.

http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_simw.asp
direct internet access or be able to access the internet via another program
or open process?

Yeah, tons of them. Not just "regular" services either. Study up on
"spyware" and "malware" in addition to "viruses", "worms" and "trojans" if
you want to lose sleep.
 
--
Herb Martin


MyndPhlyp said:
I may be arguing symantics, but ...
Click to expand...

Arguing "semantics" does make sense in many cases --
semantics is the study of MEANING. Arguing semantics
when the real issue is something else is however the what
most people refer to when they criticise you for it.

So: Go for it.
unauthorised access is getting a list of domain names?

It is a public DNS server. That means if anybody wants to probe it for all
the machine names in your domain, they can. By making it public, you've
"authorized" access to everybody.
Click to expand...

Actually I know of know way through normal DNS queries to get a
"list of domains" (in the sense of ZONES since technically ever DNS
name is a 'domain' in classical DNS terminology.)

You can of course do this with an RPC query or perhaps using some
tool provided with BIND but not through a normal DNS query on
an MS DNS server.

You can also specify tha only allowed IP addresses can do zone
transfers (MMC) which allows disallows things like the "nslookup
list" command.

Finally, a public DNS server should ONLY have public services
so having someone discover them should just amount to "good
advertising."

(Don't allow your internal resources to appear in external DNS.)
 
That's probably me not phrasing the question very well. Under normal circumstances,
a DNS server replies to requests for an IP address to a website or email delivery
requirement, normal port 53 stuff. The DNS server would only give out the relevant
info per the single request. I am referring to the gathering of a list of all
domain names
being hosted on the DNS server for other than the above normal usage.

Blocked packets were not 135 thru' 139, winlogon was trying to send packets out to a
nameserver which I know to be hostile.

Thanks for the link, I'll go lose some more sleep :-)

MyndPhlyp wrote:
[snip]
 
Thanks for your comments, RPC is closed to the internet. In that
case I'll divert my attentions to an IIS5 compromise. Zone records
are all set for no transfer, listing prevented. As per the original post,
there are only a handful of ports open so maybe http-tunnelling or
similar - back to the security review :-)

Herb Martin wrote:
Actually I know of know way through normal DNS queries to get a
"list of domains" (in the sense of ZONES since technically ever DNS
name is a 'domain' in classical DNS terminology.)

You can of course do this with an RPC query or perhaps using some
tool provided with BIND but not through a normal DNS query on
an MS DNS server.

You can also specify tha only allowed IP addresses can do zone
transfers (MMC) which allows disallows things like the "nslookup
list" command.

Finally, a public DNS server should ONLY have public services
so having someone discover them should just amount to "good
advertising."

(Don't allow your internal resources to appear in external DNS.)
 
Phil said:
That's probably me not phrasing the question very well. Under normal circumstances,
a DNS server replies to requests for an IP address to a website or email delivery
requirement, normal port 53 stuff. The DNS server would only give out the relevant
info per the single request. I am referring to the gathering of a list of all
domain names
being hosted on the DNS server for other than the above normal usage.
Click to expand...


Make sure you specify which IP are allowed "zone transfers"
if any -- not quite what you are discussing but it's a good
practice too.
 
In
Phil said:
That's probably me not phrasing the question very well.
Under normal circumstances,
a DNS server replies to requests for an IP address to a
website or email delivery
requirement, normal port 53 stuff. The DNS server would
only give out the relevant
info per the single request. I am referring to the
gathering of a list of all
domain names
being hosted on the DNS server for other than the above
normal usage.

Blocked packets were not 135 thru' 139, winlogon was
trying to send packets out to a
nameserver which I know to be hostile.

Thanks for the link, I'll go lose some more sleep :-)
Click to expand...

If your firewall was not logging 135 and 139 hits and the users was able to
get to Winlogon, tells me you need to check your firewall configuration. At
least your firewall is preventing winlogon from getting out.

The only explanation I can think of is a Trojan trying to set up the
connection. Then someone is trying to use dnscmd to enumerated the zones.
 
Thanks for the input, zones are marked transfer to nameservers on tab only.
I'm running anti-virus, trojan, malware, spyware programs and coming up
clean every day. Firewall handles specific access in/out bound on a per
program, or even component, basis and I'm keeping an eye on that.

One thing comes to mind, I'm in the process of cleaning up a lost container
in AD and I've found that AD still has the old IP address of the lost server,
so could it be AD trying to contact this old IP?

Kevin D. Goodknecht Sr. [MVP] wrote:

[snip]
 
Phil said:
Thanks for the input, zones are marked transfer to nameservers on tab only.
I'm running anti-virus, trojan, malware, spyware programs and coming up
clean every day. Firewall handles specific access in/out bound on a per
program, or even component, basis and I'm keeping an eye on that.

One thing comes to mind, I'm in the process of cleaning up a lost container
in AD and I've found that AD still has the old IP address of the lost server,
so could it be AD trying to contact this old IP?
Click to expand...

Yes, the other DCs will still be trying to read it.

Search Google for:

[ DC domain ntdsutil "metadata cleanup" site:microsoft.com ]

or

[ DC domain ntdsutil "metadata cleanup" microsoft: ]

The latter searches Google's web wide MS "collection" while
the former searches just the MS site.


--
Herb Martin

Kevin D. Goodknecht Sr. [MVP] wrote:

[snip]
If your firewall was not logging 135 and 139 hits and the users was able to
get to Winlogon, tells me you need to check your firewall configuration. At
least your firewall is preventing winlogon from getting out.

The only explanation I can think of is a Trojan trying to set up the
connection. Then someone is trying to use dnscmd to enumerated the zones.
Click to expand...
Click to expand...
 
P> If a Win2K server is running a public DNS server and has a firewall
P> permitting only 'normal' ports like 25, 53, 80, 119 etc, how can I
P> tell if unauthorised access is getting a list of domain names?

If you have a DNS server providing public content DNS service, then
there is no such thing as unauthorised access to the data that it
publishes, and your question is without meaning. Public content DNS
service is publication of all of the data in one's DNS database. If you
don't want your data to be public, you shouldn't be publishing them in
the first place.
 
Back
Top