Hacked? nslookup resolves wrong IP, name from another domain by duplicating .com.mx prefixes...

[SammyBar]

Hi,

I noticed I have a problem with our DNS server. We host our own domain. Lets
name it mydomain.com.mx. The DNS server is a Windows 2000 domain controller
that is located outside a firewall. It is also a domain controller for the
W2K Active Directory domain that comprises servers that are outside the
firewall. We also have an "inside" domain (I mean, it is located inside the
firewall) with its own W2K PDC and DNS server. This inside DNS is used for
Active Directory tasks but it is configured to forward DNS queries to the
outside internet aware DNS server. It have been working for years without
major problems.
But recently I noticed when using nslookup someserver.mydomain.com.mx on any
of the PCs located on the outside firewall network segment (in the same
segment of
the outside DNS server) the response is someserver.mydomain.com.mx.com.mx.
The resolved the ip address is not mine: it looks like the address is
provided by the owner of the com.mx.com.mx domain. It is very suspicious
that that domain resolves addresses for all names even nonexistent ones I
request. For example the
nonexistentname.mydomain.com.mx is resolved as
nonexistentname.mydomain.com.mx.com.mx.
If I make the same query from any PC inside the firewall, the name
resolution works ok: inner DNS server forwards the request to the outer and
this resolves correctly someserver.mydomain.com.mx if the name exists, and
fails to resolve if the host does not exists.
Another fact: if run nslookup against another DNS server in the internet
(not from my ISP) the result is the same: from the outside network the
result is wrong, from the inside network the result is OK.
If doing the same test from another ISP, the results are OK.
From the Cache on the DNS server, it looks like the owner of the mx.com.mx
domain is a DNS server named dns1.1108.com (63.147.61.207). It maps all the
request to the domain mx.com.mx to the same IP: 63.147.61.208

Then I have some questions:

-What is wrong with my DNS server? Is it a wrong configuration which
duplicates the prefixes .com.mx to the requests I make?
-The owner of mx.com.mx domain is doing something suspicious by intercepting
my DNS requests and redirecting it to his server?
-Is it some kind of hacking?
-How to correct it?

Any hint is welcomed
Thanks in advance

Sammy

 

[Mr. Backup]

wow... you just lost me in all of your wording.
let me get this correct.

You have a domain (public) and (private) using the same domain.name.
Example: abc.com and abc.com both public and private.

You perform an nslookup inside of your (private) domain and all seems fine?
nslookup (then get response). This response should be from your DNS located
inside of your network.

Now when you perform a nslookup on the outside public network you get what
your now calling wrong info?

(Q). On your registrant info, what do you have defined as your SOA
server(s). What I am asking is do you have DNS server setup on the outside
(public) such as ns1.abc.com and ns2.abc.com. You need to have this. As
it will point back to what ever DNS server is to be managing your domain
name.

 

[Kevin D. Goodknecht Sr. [MVP]]

But recently I noticed when using nslookup someserver.mydomain.com.mx
on any of the PCs located on the outside firewall network segment (in
the same segment of
the outside DNS server) the response is
someserver.mydomain.com.mx.com.mx. The resolved the ip address is not
mine:

Is this the IP:
com.mx.com.mx. 900 IN A 63.147.61.208

This is the key to your problem here, obviously your Primary DNS suffix is
mydomain.com.mx, correct?

In TCP/IP properties, on the DNS tab, clear the check box, "Append parent
suffixes of the Primary DNS suffix" Then com.mx will no longer be appended.

 

[SammyBar]

Is this the IP:

com.mx.com.mx. 900 IN A 63.147.61.208

This is the key to your problem here, obviously your Primary DNS suffix is
mydomain.com.mx, correct?

Yes, it is

In TCP/IP properties, on the DNS tab, clear the check box, "Append parent
suffixes of the Primary DNS suffix" Then com.mx will no longer be
appended.

Does not works. The problem remains.

 

[SammyBar]

You have a domain (public) and (private) using the same domain.name.

Example: abc.com and abc.com both public and private.

My public domain is mydomain.com.mx
My private domain is mydomain.net

You perform an nslookup inside of your (private) domain and all seems
fine?
nslookup (then get response). This response should be from your DNS
located inside of your network.

nslookup mailserver.mydomain.com.mx dnsserver.mydomain.net
returns a non autoritative answer with the correct ip for the
mailserver.mydomain.com.mx
dnsserver.mydomain.net is set up to forward DNS queries to
dnsserver.mydomain.com.mx

Now when you perform a nslookup on the outside public network you get what
your now calling wrong info?

on the public network
nslookup mailserver.mydomain.com.mx dnsserver.mydomain.com.mx
returns:
Name: mailserver.mydomain.com.mx.com.mx
Address: wrong address from domain mx.com.mx

(Q). On your registrant info, what do you have defined as your SOA
server(s). What I am asking is do you have DNS server setup on the
outside (public) such as ns1.abc.com and ns2.abc.com. You need to have
this. As it will point back to what ever DNS server is to be managing
your domain name.

SOA in my public DNS server is pdc.mydomain.com.mx.

Thanks for the response
Sammy

 

[Kevin D. Goodknecht Sr. [MVP]]

Yes, it is


Does not works. The problem remains.

Unfortunately, nslookup ignores this setting and appends parent suffixes
anyway. The only way you can get nslookup to append only your domain name
and not the parent suffixes is the create a custom DNS suffix search list
using only your domain name in the list.

Select "Append these suffixes (in order)" and enter domain.com.mx.

 

[SammyBar]

Select "Append these suffixes (in order)" and enter domain.com.mx.
Yes, it works, thanks a lot

 

[Kevin D. Goodknecht Sr. [MVP]]

Yes, and I would consider this another in a long list of nslookup bugs. The
DNS client service uses the setting, but nslookup bypasses the DNS client
service. (As it should)