DNS spoofing - security problems...

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).

I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.

Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
 
Chris said:
This morning on of our DNS servers started responding to all requests with
the same IP address. The only exceptions were sites that the server was
authoritative for. I fixed it by clearing the cache, but I have to wonder
how this is happening. This server runs Windows 2000 dns and has the
"secure cache against pollution" option set (and I confirmed it in the
registry).
Click to expand...

One wonders:

1) Do you have block Cache Polution (in Advance) enabled

2) Do you know what your Forwarder (ISP or whatever) if
any is doing?

3) How do your Root Hints look?

I contacted Microsoft and they had no idea what might be happening. They
thought that one of the root servers may have been compromised. I find this
hard to believe however. I found this link on the web:
http://www.atsnn.com/story/105049.html which describes a similar situation.
It appears that this has occured to others over the last few weeks, and any
root server problems probably would have been dealt with.

Has anyone seen this before. It seems like a vulnerability that has not yet
been addressed. However, maybe its just a vulnerability in DNS in general.
Any thoughts?
Click to expand...
[/QUOTE]
 
The cache pollution is box was checked (and it was before this happened). I
don't have a forwarder set, and I double checked the root hints and they
match another list I found online.
 
Chris said:
The cache pollution is box was checked (and it was before this happened). I
don't have a forwarder set, and I double checked the root hints and they
match another list I found online.
Click to expand...

Darn. I was hoping it was going to be easy.

How about monitoring outgoing requests using
debug logging (in the DNS server properties) and
try to get an idea of where these addresses are
originating....
 
Next time around we really need to get info on what is in the cache,
as obviously that is the source of propagation to your clients.
 
Yeah, I know. I wish I didn't clear it before taking a look at its
contents. If it happens again, I definately will take a look at it.
 
In Chris <[email protected]> made a post then I commented below
:: The cache pollution is box was checked (and it was before this
:: happened). I don't have a forwarder set, and I double checked the
:: root hints and they match another list I found online.

IIRC, the last time I saw this happening, a forwarder took care of it. There
was another issue where a spyware piece was constantly querying
doubleclick.net's nameservers, which are misconfigured, and causing Event ID
5504 errors. When the admin blocked all of their nameservers at the
firewall, the errors stopped.

What Event ID are you getting?


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Back
Top