DNS cache corruption

  • Thread starter Thread starter Microsoft support
  • Start date Start date
M

Microsoft support

I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.

The second worry I have is that this issue started first thing the morning
of April fools day.

Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.

Kevin Nickell
 
Microsoft support said:
I have a horribly confusing problem. Have a client who three times in the
last week has had every entry in their DNS cache on a windows 2000 server
set to the same IP address. The address, all three times, resolves to
www.jothan.com. Every website not resolved directly by the internal DNS
server redirects to jothan.com. The reason I worry about this is that this
is a site run by Jothan Frakes who is a DNS TLD expert influential with
ICANN. If I simply clear the DNS cache, it is not fixed and the cache sets
every entry back to the ip of www.jothan.com. If I restart the DNS server,
then clear the cache it is fine for a day or so.

The second worry I have is that this issue started first thing the morning
of April fools day.

Anyone with any idea whatsoever? They are using root hints and we switched
to forwarders, just in case.

Kevin Nickell
Click to expand...

Have you enabled DNS Cache Pollution protection? In the DNS MMC,
right click on the server name, Properties, Advanced, "Secure Against
DNS Cache Pollution".

Sincerely,
Brian S. Bergin
Terabyte Computers, Inc.

Please post replies here so everyone may benefit.

NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
 
Thanks. I will try that. Microsoft also has us running a bunch of kernel
scanners to see if the local machine has been comprimised. No Spyware,
Adware or viral activity is found. Nothing in any task scheduler. No
unknown processes or services running....

Wierd.

Kevin
 
An added aside. I have conversed with Jothan Frakes since and it is obvious
he is not behind this attack, just an unfortunate victim.
 
Back
Top