Re: Deliberate DNS Poisoning

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
• Date: Tue, 8 Apr 2008 08:38:26 -0500

---

Read inline please.

In news:C8D4897A-55F1-4B6A-8180-B325B710BE4B@xxxxxxxxxxxxx,
T.M. Carter <TMCarter@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

PLEASE READ ENTIRE MESSAGE BEFORE REPLYING!

I need to deliberatly poison dns queries for a "walled garden" type
setup.

I need to return a fixed A record for ALL queries, so that means I
need to be "quasi-authoritative" for all the .TLD, but only for
clients that are re-directed to this DNS server.

You cannot "redirect" clients to a certain DNS server, the client will use
the DNS configured in its TCP/IP settings.

I understand all the pro's and con's; and don't need advice as to the
logic.

If I add a "." in the forwarder, this will simply stop all recursion
to root servers; which is half the battle. Where I am having the
issue with is how to respond to queries that are TLD destined and
have a single fixed A record be returned. So I guess the question
I'm asking is to how to privately be authoritative for all .TLD in a
private selective basis...?

Example:

Client --- DNS Server --->google.com
DNS Server has a .com record that returns 192.168.1.1

Client --- DNS Server --->microsoft.com
DNS Server has a .com record that returns 192.168.1.1

Client --- DNS Server --->ANY QUERY ending in .com, .net, .org reply
DNS Server has a .com record that returns 192.168.1.1

Anything else gets no reponse.

Start with creating a . (Root) forward lookup zone, from there you just have
to add records or delegations for the names you do want to resolve.

For other domains that you don't want to resolve at all don't add them, for
domains that you want all hosts to resolve to resolve to the same IP
address, add the domain, then add a wildcard "*" (Asterisk) record to that
domain. For example, if you want all names in a certain TLD create the TLD
as a subdomain to the root, then add a wildcard A record to the domain. Do
not add a wildcard record to any name that is in your DNS suffix search
list. Those domains are searched first, if the exact match doesn't exist,
the wildcard will be returned instead. If the whole point of this is to
prevent all non-local names from being resolved, just add the root zone.


Be aware of the fact that many sites use CNAMEs to FQDNs that are outside
the original domain, those FQDNs must be delegated too, if the original
domain is delegated. For example, there are A records for the Root of
microsoft.com, but many if not most of the other hosts in microsoft.com are
CNAMEs so you can really create A records for these hosts because I've seen
many cases where this IP change at any time.


Examples of how CNAMEs are used and other domains that must be resolvable in
order to use a Root zone to resolve only names you choose.


microsoft.com. IN A

ANSWER SECTION:
microsoft.com. 3030 IN A 207.46.197.32
microsoft.com. 3030 IN A 207.46.232.182

download.windowsupdate.com. IN A

ANSWER SECTION:
download.windowsupdate.com. 3555 IN CNAME
download.windowsupdate.nsatc.net.
download.windowsupdate.nsatc.net. 555 IN CNAME
download.windowsupdate.com.fp.nsatc.net.
download.windowsupdate.com.fp.nsatc.net. 3555 IN CNAME
download.windowsupdate.com.c.footprint.net.
download.windowsupdate.com.c.footprint.net. 185 IN A
199.93.46.124
download.windowsupdate.com.c.footprint.net. 185 IN A
199.93.62.124

update.microsoft.com. IN A

ANSWER SECTION:
update.microsoft.com. 3600 IN CNAME
update.microsoft.com.nsatc.net.
update.microsoft.com.nsatc.net. 300 IN CNAME
www.update.microsoft.com.
www.update.microsoft.com. 804 IN CNAME
www.update.microsoft.com.nsatc.net.
www.update.microsoft.com.nsatc.net. 55 IN A 65.55.200.157

www.microsoft.com. IN A

ANSWER SECTION:
www.microsoft.com. 3578 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 292 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 292 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 292 IN A 207.46.19.190
lb1.www.ms.akadns.net. 292 IN A 207.46.193.254
lb1.www.ms.akadns.net. 292 IN A 207.46.19.254
lb1.www.ms.akadns.net. 292 IN A 207.46.192.254


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

---

• References:
  • Deliberate DNS Poisoning
    • From: T.M. Carter

• Prev by Date: Re: Problem with multihomed 2-node w2003 DC
• Next by Date: Re: Nightmare with DNS forwarders
• Previous by thread: Deliberate DNS Poisoning
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: MX-only domains dying? ... I've always thought of the www host as being an artifact of the good old days of the web where DNS was used as part of the maintenance methodology - if you needed to service a box you switched the IP in DNS to the hot spare. ... Using service names allows you to have each respective serviceresolve to different address, thus allowing you to spread services across different hosts. ... If you are wondering why I have A records for domainN.tld verses a CNAME record, I have never been able to get CNAME records to co-exist with any other record type for a given name. ... (comp.mail.sendmail) Re: Beating the spam filter ... ... Are you referencing the fact that CNAMEs that point to a name in another domain should point to a canonical name? ... Or are you referencing the fact that a CNAME should be the only RR for the given name of the CNAME RR? ... Now consider if you will the desire of the hosting company to have a level of abstraction for the host name of mx.hosting-company.tld such that they can freely move the SMTP service from host to host, or add additional hosts to a pool with out the need to update all the client DNS zones. ... Thus it would be extremely easy to end up with a situation where you have an A record that resolves to an IP that does not reverse resolve to the original name. ... (comp.mail.sendmail) Re: Beating the spam filter ... ... I'm not too sure about the PTR records though. ... Maybe a MTA will banner and HELO with its nodename, but pointing MX ... The typical uses I'm aware of for using DNS ... One general problem with CNAME records is that there isn't a solid ... (comp.mail.sendmail) Re: Beating the spam filter ... ... What specifically are you referencing? ... Or are you referencing the fact that a CNAME should be the only RR ... and DNS resolvers and servers need to work more to get the answer. ... to use A recordthat resolve to the IP addressof the current mail ... (comp.mail.sendmail) Re: Beating the spam filter ... ... touch on the matter agree that pointing an MX at a name that has a CNAME ... of abstraction for the host name of mx.hosting-company.tld such that they ... to a pool with out the need to update all the client DNS zones. ... It is dead wrong to have multiple CNAME records for one name. ... (comp.mail.sendmail)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.dns  > 2008-04