Re: DNS Poisoning, pharming, pollution
- From: "Jerry" <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Jun 2005 13:30:40 -0700
I had investigated this before, but I need to reread it again to see if I
can gather anything else from it. My recollection was that since I'm
running Windows 2003 and have the "secure cache against pollution" setting
on, the next thing to look for would be a malicious program on the server.
I haven't done that yet because other priorities have superceded this for
right now, and since I cleared the cache last, the incorrect DNS entries
haven't reappeared, yet. Once I'm able to get back on this, I'll post any
findings or questions.
Thanks for your help,
Jerry
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
message news:OcHlCOHeFHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
> In news:O4ABI$rdFHA.620@xxxxxxxxxxxxxxxxxxxx,
> Jerry <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below:
> > Hi,
> >
> > I'm running Windows 2003 and have 4 DNS servers setup on the network.
> > Every server is configured with our ISP's DNS resolvers as forwarders.
> > About 2 weeks ago, users trying to go to microsoft.com, google.com,
> > and some other sites were getting redirected to a "search" page that
> > didn't look very trustworthy. I ran a ping on the names and received
> > addresses in the
> > 67.15.35.* block. After blocking web traffic to this class C at the
> > firewall and reading several topics on the subject, I cleared the
> > cache on all 4 DNS servers, and haven't seen any signs of
> > misdirection until today. Today, it is azcentral.com (a local TV
> > station website) that is being misdirected. Two weeks ago, I assumed
> > that the faulty records were coming from the ISP, but now I don't
> > think that's true. The "secure cache against pollution" setting is
> > on (as it is by default), but I have read that vulnerabilities may
> > still exist. Unfortunately, I'm not sure how to protect my network
> > further. I've read that certain versions of BIND have
> > vulnerabilities, but I don't think we're running BIND. I'm no DNS
> > expert, so please bear with me. It appears the attacks are coming
> > from within, and possibly from an infected client(?). Could someone
> > lead me to some information that might help me locate the source of
> > the attacks and how to stop them?
> >
> > Thank you,
> > Jerry
>
> See if this helps. It seems to be a prevalent issue lately, although I'vbe
> heard it seems to have subsided. You may not be using BIND, but the
> forwarders may well be BIND.
>
> SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert
> System - Current Infosec News and Analysis:
> http://isc.sans.org/presentations/dnspoisoning.php
>
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
.
- Follow-Ups:
- Re: DNS Poisoning, pharming, pollution
- From: Herb Martin
- Re: DNS Poisoning, pharming, pollution
- From: "Rebecca Chen [MSFT]"
- Re: DNS Poisoning, pharming, pollution
- References:
- DNS Poisoning, pharming, pollution
- From: Jerry
- Re: DNS Poisoning, pharming, pollution
- From: Ace Fekay [MVP]
- DNS Poisoning, pharming, pollution
- Prev by Date: Slow internet connection with Server 2003
- Next by Date: new w2k3 2ndary (member) + existing w2k primary (DC) = problem?
- Previous by thread: Re: DNS Poisoning, pharming, pollution
- Next by thread: Re: DNS Poisoning, pharming, pollution
- Index(es):
Relevant Pages
|
|
