Re: Was this poisoning, spoofnig, or something else?

Read inline please.

In news:MPG.21d04c22bd8e74699898bf@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Sun, 16 Dec 2007 15:04:09 -0600)
In news:MPG.21cf7af7a4b63e499898bd@xxxxxxxxxxxxxxxxxxxx,
Thorsten Kampe <thorsten@xxxxxxxxxxxxxxxx> typed:
* Kevin D. Goodknecht Sr. [MVP] (Sat, 15 Dec 2007 23:03:06 -0600)
[snipping all the previous stuff because it got too long]
Nslookup uses the DNS client's DNS suffix search list, it does NOT
always devolve the name, you should test it yourself, I have.
If the DNS client has only one suffix in the search list, no matter
how may levels the suffix is, it will append only the suffix(es) in
the list..

Sorry, you now see me confused: Steve's problem was that he
discovered that all queries like "nslookup www.test.com" returned
"www.test.com.test.com (china address)".

I replied that he's got two issues. One is his incorrect nslookup
query - he simply forgot the trailing point, so automatically his
local domain was added. His local DNS forwards the query to his
ISP's
DNS because the local DNS is authorative for test.com but not for
test.com.test.com.

If his local DNS server is Authoritative for test.com, explain why
you think it would not have Authority for test.com.test.com?

That's how DNS works, right? If a nameserver is authoritative for the
com domain, that doesn't mean it's authoritative for microsoft.com,
right?!

And I actually did a trace on a test machine and the Windows 2003 does
indeed query external servers for mydomain.local.mydomain.local.

It will not query external DNS servers for mydomain.local.mydomain.local, IF
you have a zone for mydomain.local.


The second is (and here I cannot be one hundred percent sure but
it's
by far the most likely explanation) his ISP's DNS does a "catch all"
for unknown domains and therefore responded with a wrong reply. So
this forwarder's cache was likely poisoned (and not the local
one's).

If his ISP did a "catch all" (Wildcard) for all unknown domains, how
would anyone using that ISP be able to resolve any domain name?
After all, I highly doubt that the ISP's resolving DNS proxy is
authoritative for any domains, much less all known domains, so every
domain would hit the wildcard. Wildcard records should only exist in
Authoritative servers.

VeriSign did that for instance:
http://en.wikipedia.org/wiki/Verisign#Controversies

Yes, they tried this, and were able to get away with it for a short time,
only because VeriSign has authority over those TLDs. ISPs would not be able
to because they do not have the TLD authority. In order for a wildcard to
work as intended, and not affect other domains, is for the Wildcard to exist
in the Authoritative DNS zone.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages