Re: Was this poisoning, spoofnig, or something else?

From: Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx>
Date: Tue, 11 Dec 2007 18:54:12 -0000

* Kevin D. Goodknecht Sr. [MVP] (Tue, 11 Dec 2007 07:07:47 -0600)

In news:eE6BPbaOIHA.4176@xxxxxxxxxxxxxxxxxxxx,
Steve <ssimek@xxxxxxx> typed:

Today, one of our internal DNS servers began reporting every host
resolution as an address that has been traced to somewhere in China.
The DNS server has been fine for two years. We are actively trying to
figure out what occurred. Replacing our actual domain with "test",
here is what we saw in nslookup.

nslookup

server 172.xxx.xx.xxx (misbehaving server)

www.test.com

www.test.com.test.com (china address, extra "test.com" added)

validhost1.test.com

validhost1.test.com.test.com (china address)

invalidname1.test.com

invalidname1.test.com.test.com (china address)

What was happening?

This looks like it could be the results from your DNS suffix search list
devolution. I'm guessing your internal domain is something like
'domain.test.com' and it is being devolved by the DNS client and is finding
a wildcard record in the public domain 'test.com'.

It has nothing to do with that: "nslookup www.test.com" will always
query first www.test.com.test.com and *only* if that fails
"www.test.com".

The correct syntax is "nslookup www.test.com." see
http://support.microsoft.com/kb/200525/en-us

Thorsten
.

Follow-Ups:
- Re: Was this poisoning, spoofnig, or something else?
  - From: Kevin D. Goodknecht Sr. [MVP]

References:
- Was this poisoning, spoofnig, or something else?
  - From: Steve
- Re: Was this poisoning, spoofnig, or something else?
  - From: Kevin D. Goodknecht Sr. [MVP]

Prev by Date: Re: Mulitple computer entries in DNS
Next by Date: Re: cant ping servers in child domain
Previous by thread: Re: Was this poisoning, spoofnig, or something else?
Next by thread: Re: Was this poisoning, spoofnig, or something else?
Index(es):
- Date
- Thread

Relevant Pages

Re: Was this poisoning, spoofnig, or something else?
... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... This looks like it could be the results from your DNS suffix search ...
(microsoft.public.windows.server.dns)
Re: Was this poisoning, spoofnig, or something else?
... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... www.test.com.test.com (china address, extra "test.com" added) ... If the Active Directory domain is test.com and I query "nslookup ...
(microsoft.public.windows.server.dns)
Re: Was this poisoning, spoofnig, or something else?
... as an address that has been traced to somewhere in China. ... The DNS server has ... Replacing our actual domain with "test", here is what we saw in nslookup. ... You snipped valuable nslookup output ...
(microsoft.public.windows.server.dns)
Re: Website
... can and do redirect sites in their public DNS records, ... itself was redirected internally this way to the local search engine China ... public DNS server and they should be fine. ... >> they can't access any of our websites which hosted by ...
(microsoft.public.windows.server.dns)
Re: Was this poisoning, spoofnig, or something else?
... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... If the Active Directory domain is test.com and I query "nslookup ...
(microsoft.public.windows.server.dns)