Re: DNS cache corruption (poisoning)
- From: "Kevin Nickell" <knickell@xxxxxxxxxx>
- Date: Fri, 22 Apr 2005 15:45:33 GMT
An added aside. I have conversed with Jothan Frakes since and it is obvious
he is not behind this attack, just an unfortunate victim.
<bntjnk@xxxxxxxxx> wrote in message
news:1112740107.164401.77630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> You might be interested in the following link:
> http://isc.sans.org/presentations/dnspoisoning.php
>
> SANS raised their warning level due this problem today, 5 April, 05.
>
> Only seems to effect windows DNS servers.
>
> B
>
> Kevin Nickell wrote:
>> Thanks. I will try that. Microsoft also has us running a bunch of
> kernel
>> scanners to see if the local machine has been comprimised. No
> Spyware,
>> Adware or viral activity is found. Nothing in any task scheduler.
> No
>> unknown processes or services running....
>>
>> Wierd.
>>
>> Kevin
>>
>> "Brian S. Bergin" <net.terabyte@xxxxxxxxxxxxxxxxxxxx> wrote in
> message
>> news:aku451tkceg2eroef6hte8clvtkgelaimc@xxxxxxxxxx
>> > "Microsoft support" <knickell@xxxxxxxxxx> wrote:
>> >
>> >>I have a horribly confusing problem. Have a client who three times
> in the
>> >>last week has had every entry in their DNS cache on a windows 2000
> server
>> >>set to the same IP address. The address, all three times, resolves
> to
>> >>www.jothan.com. Every website not resolved directly by the
> internal DNS
>> >>server redirects to jothan.com. The reason I worry about this is
> that
>> >>this
>> >>is a site run by Jothan Frakes who is a DNS TLD expert influential
> with
>> >>ICANN. If I simply clear the DNS cache, it is not fixed and the
> cache
>> >>sets
>> >>every entry back to the ip of www.jothan.com. If I restart the DNS
>
>> >>server,
>> >>then clear the cache it is fine for a day or so.
>> >>
>> >>The second worry I have is that this issue started first thing the
> morning
>> >>of April fools day.
>> >>
>> >>Anyone with any idea whatsoever? They are using root hints and we
>> >>switched
>> >>to forwarders, just in case.
>> >>
>> >>Kevin Nickell
>> >>
>> >
>> > Have you enabled DNS Cache Pollution protection? In the DNS MMC,
>> > right click on the server name, Properties, Advanced, "Secure
> Against
>> > DNS Cache Pollution".
>> >
>> > Sincerely,
>> > Brian S. Bergin
>> > Terabyte Computers, Inc.
>> >
>> > Please post replies here so everyone may benefit.
>> >
>> > NOTICE: Use of this information is contingent upon acceptance of
> Paragraph
>> > 17 of Terabyte's Terms and conditions located at
>> > http://terabyte.net/terms.htm#postings.
>
.
- References:
- DNS cache corruption
- From: Microsoft support
- Re: DNS cache corruption
- From: Brian S . Bergin
- Re: DNS cache corruption
- From: Kevin Nickell
- Re: DNS cache corruption (poisoning)
- From: bntjnk
- DNS cache corruption
- Prev by Date: Can not Lookup on New Zone
- Next by Date: Re: Child domain
- Previous by thread: Re: DNS cache corruption (poisoning)
- Next by thread: Windows 2000 clients not caching dns lookups
- Index(es):
