Re: Was this poisoning, spoofnig, or something else?
- From: Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx>
- Date: Mon, 17 Dec 2007 09:05:12 -0000
* Kevin D. Goodknecht Sr. [MVP] (Sun, 16 Dec 2007 15:04:09 -0600)
In news:MPG.21cf7af7a4b63e499898bd@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Sat, 15 Dec 2007 23:03:06 -0600)
[snipping all the previous stuff because it got too long]
Nslookup uses the DNS client's DNS suffix search list, it does NOT
always devolve the name, you should test it yourself, I have.
If the DNS client has only one suffix in the search list, no matter
how may levels the suffix is, it will append only the suffix(es) in
the list..
Sorry, you now see me confused: Steve's problem was that he discovered
that all queries like "nslookup www.test.com" returned
"www.test.com.test.com (china address)".
I replied that he's got two issues. One is his incorrect nslookup
query - he simply forgot the trailing point, so automatically his
local domain was added. His local DNS forwards the query to his ISP's
DNS because the local DNS is authorative for test.com but not for
test.com.test.com.
If his local DNS server is Authoritative for test.com, explain why you think
it would not have Authority for test.com.test.com?
That's how DNS works, right? If a nameserver is authoritative for the
com domain, that doesn't mean it's authoritative for microsoft.com,
right?!
And I actually did a trace on a test machine and the Windows 2003 does
indeed query external servers for mydomain.local.mydomain.local.
The second is (and here I cannot be one hundred percent sure but it's
by far the most likely explanation) his ISP's DNS does a "catch all"
for unknown domains and therefore responded with a wrong reply. So
this forwarder's cache was likely poisoned (and not the local one's).
If his ISP did a "catch all" (Wildcard) for all unknown domains, how would
anyone using that ISP be able to resolve any domain name?
After all, I highly doubt that the ISP's resolving DNS proxy is
authoritative for any domains, much less all known domains, so every domain
would hit the wildcard. Wildcard records should only exist in Authoritative
servers.
VeriSign did that for instance:
http://en.wikipedia.org/wiki/Verisign#Controversies
Thorsten
.
- Follow-Ups:
- Re: Was this poisoning, spoofnig, or something else?
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Was this poisoning, spoofnig, or something else?
- References:
- Was this poisoning, spoofnig, or something else?
- From: Steve
- Re: Was this poisoning, spoofnig, or something else?
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Was this poisoning, spoofnig, or something else?
- From: Thorsten Kampe
- Re: Was this poisoning, spoofnig, or something else?
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Was this poisoning, spoofnig, or something else?
- From: Thorsten Kampe
- Re: Was this poisoning, spoofnig, or something else?
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Was this poisoning, spoofnig, or something else?
- From: Thorsten Kampe
- Re: Was this poisoning, spoofnig, or something else?
- From: Kevin D. Goodknecht Sr. [MVP]
- Was this poisoning, spoofnig, or something else?
- Prev by Date: Re: Was this poisoning, spoofnig, or something else?
- Next by Date: Re: Cannot access company website from LAN but can from the whole
- Previous by thread: Re: Was this poisoning, spoofnig, or something else?
- Next by thread: Re: Was this poisoning, spoofnig, or something else?
- Index(es):
Relevant Pages
|
Loading
