Re: DNS Poisoning, pharming, pollution

"Jerry" <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uv1ZrlOfFHA.3316@xxxxxxxxxxxxxxxxxxxxxxx
> I had investigated this before, but I need to reread it again to see if
I
> can gather anything else from it. My recollection was that since I'm
> running Windows 2003 and have the "secure cache against pollution" setting
> on, the next thing to look for would be a malicious program on the server.
> I haven't done that yet because other priorities have superceded this for
> right now, and since I cleared the cache last, the incorrect DNS entries
> haven't reappeared, yet. Once I'm able to get back on this, I'll post any
> findings or questions.

I am coming into this late in the thread so please forgive any
duplicate questions or those that have already been answered.

Are you using any forwarders? Forwarders (themselves) can
be polluted and securing the cache cannot protect you from that
since in some sense the DNS server must trust the forwarder.

(It's a little more complicated than that but this is the usual effect.)

Second, are you sure the CACHE is polluted? Can you see the
wrong entries in the cache? Do you know how to find the correct
entries manually? (Working with something like NSLookup down
from the root to the authoritative server for the "correct" answer...)

Here are some of the relevant nameservers:

Microsoft: ns5.msft.net 207.46.138.20
Google: ns1.google.com 216.239.32.10

Try to localize the problem first -- client side, DNS server, forwarder,
etc. If it is client side continue your checks for Hosts, viruses, etc. or
similar checks if it is DNS server side (but hosts file won't matter there
unless client and server are the same machine.)

Also if it is in your cache and you cannot locate the source, consider
enabling DEBUG logging for outbound UDP requests and for the
corresponding inbound UDP responses.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanks for your help,
> Jerry
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
> message news:OcHlCOHeFHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
> > In news:O4ABI$rdFHA.620@xxxxxxxxxxxxxxxxxxxx,
> > Jerry <jerry.giacinto@xxxxxxxxxxxxxxxxxxxxxx> stated, and I replied
below:
> > > Hi,
> > >
> > > I'm running Windows 2003 and have 4 DNS servers setup on the network.
> > > Every server is configured with our ISP's DNS resolvers as forwarders.
> > > About 2 weeks ago, users trying to go to microsoft.com, google.com,
> > > and some other sites were getting redirected to a "search" page that
> > > didn't look very trustworthy. I ran a ping on the names and received
> > > addresses in the
> > > 67.15.35.* block. After blocking web traffic to this class C at the
> > > firewall and reading several topics on the subject, I cleared the
> > > cache on all 4 DNS servers, and haven't seen any signs of
> > > misdirection until today. Today, it is azcentral.com (a local TV
> > > station website) that is being misdirected. Two weeks ago, I assumed
> > > that the faulty records were coming from the ISP, but now I don't
> > > think that's true. The "secure cache against pollution" setting is
> > > on (as it is by default), but I have read that vulnerabilities may
> > > still exist. Unfortunately, I'm not sure how to protect my network
> > > further. I've read that certain versions of BIND have
> > > vulnerabilities, but I don't think we're running BIND. I'm no DNS
> > > expert, so please bear with me. It appears the attacks are coming
> > > from within, and possibly from an infected client(?). Could someone
> > > lead me to some information that might help me locate the source of
> > > the attacks and how to stop them?
> > >
> > > Thank you,
> > > Jerry
> >
> > See if this helps. It seems to be a prevalent issue lately, although
I'vbe
> > heard it seems to have subsided. You may not be using BIND, but the
> > forwarders may well be BIND.
> >
> > SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And
Alert
> > System - Current Infosec News and Analysis:
> > http://isc.sans.org/presentations/dnspoisoning.php
> >
> >
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> > Microsoft Windows MVP - Windows Server - Directory Services
> > Infinite Diversities in Infinite Combinations.
> > =================================
> >
>
>


.

Relevant Pages

  • Re: Forworders or Root Hints?
    ... internal network)" You can have your own Cache only DNS server without being ... messup my internal DNS server. ... time I saw an issue with forwarders was with a client that had their DNS ... work (for obvious reasons), at last you have Conditional Forwarding ...
    (microsoft.public.windows.server.dns)
  • Re: Cache Corruption on Microsoft DNS Servers
    ... Cache Corruption on Microsoft DNS Servers ... working on the server). ... > Only the secondary DNS Server was affected. ...
    (Focus-Microsoft)
  • Re: DNS forwarders not working
    ... > and need to get forwarders working on my DNS server. ... > resolve the third party queries using a forwarder to their server. ...
    (microsoft.public.win2000.dns)
  • Re: DNS error
    ... Are you talking DNS forwarding for internet resolution? ... Run the CEICW and when ask for the addresses of your ISP DNS server put those in, not the IP of the SBS server ... DNS servers in forwarders list MUST be configured to process recursive ...
    (microsoft.public.windows.server.sbs)
  • Re: you there ace?
    ... the forwarders and using the root hints, ... use the isa server as a forwarder, the isa server is not a dns server) ... however if i tell nslookup to use the external ip address of the dns server, ...
    (microsoft.public.win2000.dns)
Quantcast