Re: Was this poisoning, spoofnig, or something else?

Read inline please.

In news:MPG.21cba4f2f4379f1a9898b1@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Wed, 12 Dec 2007 09:06:58 -0600)
In news:MPG.21c8ed2e1a96229b9898ad@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Tue, 11 Dec 2007 07:07:47 -0600)
In news:eE6BPbaOIHA.4176@xxxxxxxxxxxxxxxxxxxx,
Steve <ssimek@xxxxxxx> typed:
Today, one of our internal DNS servers began reporting every host
resolution as an address that has been traced to somewhere in
China. The DNS server has been fine for two years. We are
actively trying
to figure out what occurred. Replacing our actual domain with
"test",
here is what we saw in nslookup.

nslookup

server 172.xxx.xx.xxx (misbehaving server)

www.test.com

www.test.com.test.com (china address, extra "test.com" added)

validhost1.test.com

validhost1.test.com.test.com (china address)

invalidname1.test.com

invalidname1.test.com.test.com (china address)

What was happening?

This looks like it could be the results from your DNS suffix search
list devolution. I'm guessing your internal domain is something
like 'domain.test.com' and it is being devolved by the DNS client
and is finding a wildcard record in the public domain 'test.com'.

It has nothing to do with that: "nslookup www.test.com" will always
query first www.test.com.test.com and *only* if that fails
www.test.com.

This is incorrect, nslookup will only search test.com if test.com is
in the DNS suffix search list. If his actual domain name is test.com
it will search test.com, but then in order for it to return the IP
in china would be if Steve has an external IP in his DNS servers
list (in any position), or if he does not have a zone for his
internal Domain in his local DNS server.

Sorry, but I think you're a bit confused. Please read Steve's posting,
mine and the Knowledgebase article I gave[1].

If the Active Directory domain is test.com and I query "nslookup
www.test.com" the actual query sent to the server is "nslookup
www.test.com.test.com". You don't even have to specify a DNS suffix
search list because the domain the PC is in is added by default (seen
in ipconfig /all)

Thorsten

[1] http://support.microsoft.com/kb/200525/en-us
"Nslookup will always devolve the name from the current context. If
you fail to fully qualify a name query (that is, use trailing dot),
the query will be appended to the current context. For example, the
current DNS settings are att.com and a query is performed on
www.microsoft.com; the first query will go out as
www.microsoft.com.att.com because of the query being unqualified. This
behavior may be inconsistent with other vendor's versions of Nslookup,
and this article is presented to clarify the behavior of Microsoft
Windows NT Nslookup.exe"

Nslookup uses the DNS client's DNS suffix search list, it does NOT always
devolve the name, you should test it yourself, I have.
If the DNS client has only one suffix in the search list, no matter how may
levels the suffix is, it will append only the suffix(es) in the list..




--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Was this poisoning, spoofnig, or something else?
    ... resolution as an address that has been traced to somewhere in China. ... The DNS server has been fine for two years. ... here is what we saw in nslookup. ... If the Active Directory domain is test.com and I query "nslookup ...
    (microsoft.public.windows.server.dns)
  • Re: confused
    ... This is no doubt covered by the documentation for your non-C function nslookup. ... to query an IP which doesn't have dns server running instead an other ... program in that IP is just going to respond to this query as if dns is ... responding and No i am not writing a DNS server. ...
    (comp.lang.c)
  • Re: confused
    ... I'm sure you have a C question, but it is shrouded in this non-C ... non-C function nslookup. ... to query an IP which doesn't have dns server running instead an other ... program in that IP is just going to respond to this query as if dns is ...
    (comp.lang.c)
  • Re: Where is the Resource Record kept?
    ... I have never heard of 'dig'. ... Although I've used nslookup on occasion, ... > You can also just use something like dig or nslookup and do an axfr query ... I can't do this within the DNS ...
    (microsoft.public.win2000.dns)
  • Re: Using nslookup?
    ... use dig. ... nslookup is not as well suited to this task. ... I am trying to trouble shoot a DNS problem. ... > Or sometimes with LS I get non-existent domain even though a query for the ...
    (microsoft.public.win2000.dns)
Loading