Re: DNS Poisoning, pharming, pollution

From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
Date: Fri, 24 Jun 2005 00:16:27 -0400

In news:O4ABI$rdFHA.620@xxxxxxxxxxxxxxxxxxxx,
Jerry <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below:

Hi,

 I'm running Windows 2003 and have 4 DNS servers setup on the network.
Every server is configured with our ISP's DNS resolvers as forwarders.
About 2 weeks ago, users trying to go to microsoft.com, google.com,
and some other sites were getting redirected to a "search" page that
didn't look very trustworthy.  I ran a ping on the names and received
addresses in the
67.15.35.* block.  After blocking web traffic to this class C at the
firewall and reading several topics on the subject, I cleared the
cache on all 4 DNS servers, and haven't seen any signs of
misdirection until today. Today, it is azcentral.com (a local TV
station website) that is being misdirected.  Two weeks ago, I assumed
that the faulty records were coming from the ISP, but now I don't
think that's true.  The "secure cache against pollution" setting is
on (as it is by default), but I have read that vulnerabilities may
still exist.  Unfortunately, I'm not sure how to protect my network
further.  I've read that certain versions of BIND have
vulnerabilities, but I don't think we're running BIND.  I'm no DNS
expert, so please bear with me.  It appears the attacks are coming
from within, and possibly from an infected client(?).  Could someone
lead me to some information that might help me locate the source of
the attacks and how to stop them?

Thank you,
 Jerry

See if this helps. It seems to be a prevalent issue lately, although I'vbe heard it seems to have subsided. You may not be using BIND, but the forwarders may well be BIND.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis: http://isc.sans.org/presentations/dnspoisoning.php

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft Windows MVP - Windows Server - Directory Services Infinite Diversities in Infinite Combinations. =================================

Follow-Ups:
- Re: DNS Poisoning, pharming, pollution
  - From: Jerry

References:
- DNS Poisoning, pharming, pollution
  - From: Jerry

Prev by Date: Re: internet lookups go to wrong DNS server
Next by Date: Re: internet lookups go to wrong DNS server
Previous by thread: DNS Poisoning, pharming, pollution
Next by thread: Re: DNS Poisoning, pharming, pollution
Index(es):
- Date
- Thread

Relevant Pages

Re: Forworders or Root Hints?
... root hints and forwarders are methods of doing this. ... As long as it isn't my internal DNS I'm fine with that, ... "Jorge Silva" wrote: ... internal network)" You can have your own Cache only DNS server without ...
(microsoft.public.windows.server.dns)
[NEWS] BIND 9 DNS Cache Poisoning
... BIND 9 DNS Cache Poisoning ... source UDP port and DNS transaction ID can be effectively predicted. ... address of the target name server), and the destination UDP port (53 the ...
(Securiteam)
Re: Forworders or Root Hints?
... When using Forwarders the query is passed to a DNS Server or Servers that we ... to resolve the query and pass the result back to our Windows box. ...
(microsoft.public.windows.server.dns)
Re: Forworders or Root Hints?
... root hints and forwarders are methods of doing this. ... As long as it isn't my internal DNS I'm fine with that, ... internal network)" You can have your own Cache only DNS server without ...
(microsoft.public.windows.server.dns)
Re: Big problem with Vista clients
... DNS server 220.20.200.6)) ... Les Connor [SBS MVP] ... it is unable to reach any of the Forwarders or Root Hints. ...
(microsoft.public.windows.server.sbs)