Re: Was this poisoning, spoofnig, or something else?

Read inline please.

In news:MPG.21c8ed2e1a96229b9898ad@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Tue, 11 Dec 2007 07:07:47 -0600)
In news:eE6BPbaOIHA.4176@xxxxxxxxxxxxxxxxxxxx,
Steve <ssimek@xxxxxxx> typed:
Today, one of our internal DNS servers began reporting every host
resolution as an address that has been traced to somewhere in China.
The DNS server has been fine for two years. We are actively trying
to figure out what occurred. Replacing our actual domain with
"test",
here is what we saw in nslookup.

nslookup

server 172.xxx.xx.xxx (misbehaving server)

www.test.com

www.test.com.test.com (china address, extra "test.com" added)

validhost1.test.com

validhost1.test.com.test.com (china address)

invalidname1.test.com

invalidname1.test.com.test.com (china address)

What was happening?

This looks like it could be the results from your DNS suffix search
list devolution. I'm guessing your internal domain is something like
'domain.test.com' and it is being devolved by the DNS client and is
finding a wildcard record in the public domain 'test.com'.

It has nothing to do with that: "nslookup www.test.com" will always
query first www.test.com.test.com and *only* if that fails
www.test.com.

This is incorrect, nslookup will only search test.com if test.com is in the
DNS suffix search list. If his actual domain name is test.com it will search
test.com, but then in order for it to return the IP in china would be if
Steve has an external IP in his DNS servers list (in any position), or if he
does not have a zone for his internal Domain in his local DNS server.





--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Was this poisoning, spoofnig, or something else?
    ... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ...
    (microsoft.public.windows.server.dns)
  • Re: Was this poisoning, spoofnig, or something else?
    ... as an address that has been traced to somewhere in China. ... The DNS server has ... Replacing our actual domain with "test", here is what we saw in nslookup. ... You snipped valuable nslookup output ...
    (microsoft.public.windows.server.dns)
  • Re: Dynamic DNS in China
    ... sitzt), also idealerweise ein Proxy-Server, der in China sitzt. ... Hostnamen in eine IP. ... Diese IP kann dir aber prinzipiell jeder DNS Server auflösen. ... Vorausgesetzt du darfst von China aus auf die Seite www.dnsstuff.com ich verstehe dein Problem nicht. ...
    (microsoft.public.de.security.netzwerk.sicherheit)
  • Re: Some DNS server names will not resolve using internal servers
    ... I have done all the nslookup commands. ... All of our external ISP DNS ... Is there a trace i could do on the DNS server to tell me what is happening? ...
    (microsoft.public.windows.server.dns)
  • Re: Outlook 2003 wont verify Exchange account
    ... Interestingly enough..I ran nslookup on the machine and I did get an error. ... I found that my DNS server was configured a little strangely. ... If you open the 'Network Connections' folder then select the ... > The web has plenty of info for using this command as its not a Microsoft ...
    (microsoft.public.exchange.admin)
Loading