Re: Was this poisoning, spoofnig, or something else?

Read inline please.

In news:eE6BPbaOIHA.4176@xxxxxxxxxxxxxxxxxxxx,
Steve <ssimek@xxxxxxx> typed:
Today, one of our internal DNS servers began reporting every host
resolution as an address that has been traced to somewhere in China.
The DNS server has been fine for two years. We are actively trying to
figure out what occurred. Replacing our actual domain with "test",
here is what we saw in nslookup.



nslookup

server 172.xxx.xx.xxx (misbehaving server)

www.test.com

www.test.com.test.com (china address, extra "test.com" added)

validhost1.test.com

validhost1.test.com.test.com (china address)

invalidname1.test.com

invalidname1.test.com.test.com (china address)



What was happening?

This looks like it could be the results from your DNS suffix search list
devolution. I'm guessing your internal domain is something like
'domain.test.com' and it is being devolved by the DNS client and is finding
a wildcard record in the public domain 'test.com', and your internal DNS is
not authoritative for test.com. This is intended behavior.
It can be fixed by insuring that you have only domain.test.com in your DNS
suffix search list, which your internal DNS is authoritative for.
You can do this in TCP/IP properties, on the DNS tab, "Search these DNS
suffixes (in order)" and enter domain.test.com.
There is a group policy for this here:
Computer Configuration
-Administrative templates
-Network
-DNS Client
-DNS Suffix search list

You should only search suffixes for which you have zones in your local DNS.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Was this poisoning, spoofnig, or something else?
    ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... www.test.com.test.com (china address, extra "test.com" added) ... If the Active Directory domain is test.com and I query "nslookup ...
    (microsoft.public.windows.server.dns)
  • Re: Website
    ... can and do redirect sites in their public DNS records, ... itself was redirected internally this way to the local search engine China ... public DNS server and they should be fine. ... >> they can't access any of our websites which hosted by ...
    (microsoft.public.windows.server.dns)
  • Re: Was this poisoning, spoofnig, or something else?
    ... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... If the Active Directory domain is test.com and I query "nslookup ...
    (microsoft.public.windows.server.dns)
  • Re: International DNS compromise?
    ... Regarding this DNS hijacking thing, it is worth mentioning that root DNS server in China may hijack query from neighbouring countries as well. ...
    (Bugtraq)
  • Re: Was this poisoning, spoofnig, or something else?
    ... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ...
    (microsoft.public.windows.server.dns)
Loading