DNS Weirdness
 

I've been going through the MS Press's book for the 70-291 test,
setting up few Windows 2k3 DNS servers. Per the book's instructions,
I've set up a primary DNS server with a zone called domain1.local with
access to the web, and this zone is Active-Directory Integrated and
only secure dynamic updates are allowed.

Well, upon selecting these features and doing some exercises that
involved nslookups, I suddenly noticed strange A records with foreign
external IP addresses popping up in my domain1.local zone. These A
records corresponded to a server name with the same name as mine in
similarly titled "domain1.local" namespaces. They appear in both the
root and in the DomainDnsZones and ForestDnsZones subfolders.

To me, one of two things is occuring, neither of them good - 1) a
hacker is trying to impersonate my own server on my DNS server and / or
access my resources in Active Directory with IP mappings pointed to
their server or 2) there is some MCSEr out there doing the same stuff
as me with the same setups and my server and same namespace of
"domain1.local", and in the process of querying other DNS servers, I
was referred to this server as a member of my forest. My DNS server,
with dynamic updates allowed and not seeming to know any better, allows
this server to update it.

I'm guessing the 2nd option seems much more likely but I'm not ruling
out possibility #1 either. When I delete the A records, they reappear a
few minues later. I went ahead and stopped the DNS service when I
access the web now.

Anyone have any idea if either of these scenarios is likely and if so,
is there some backdoor or security setting I need to lock down that
hasn't been locked down?

Re: DNS Weirdness
 

Neither one of these sounds very likely. Name servers are registered at the
client by IP address (you ARE using private IP addresses, right?), not
hostname (since you can't look up the name until you locate a DNS server).
".local" is not a legitimate public top level domain. Since your own DNS
server is the start of authority for "domain1.local", no offsite queries
will be made. What happens when you try to ping one of these hosts? Can you
provide an example of a foreign record?

....kurt

"blastingfonda" <blastingfonda@gmail.com> wrote in message
news:1110202509.094933.48130@z14g2000cwz.googlegro ups.com...
> I've been going through the MS Press's book for the 70-291 test,
> setting up few Windows 2k3 DNS servers. Per the book's instructions,
> I've set up a primary DNS server with a zone called domain1.local with
> access to the web, and this zone is Active-Directory Integrated and
> only secure dynamic updates are allowed.
>
> Well, upon selecting these features and doing some exercises that
> involved nslookups, I suddenly noticed strange A records with foreign
> external IP addresses popping up in my domain1.local zone. These A
> records corresponded to a server name with the same name as mine in
> similarly titled "domain1.local" namespaces. They appear in both the
> root and in the DomainDnsZones and ForestDnsZones subfolders.
>
> To me, one of two things is occuring, neither of them good - 1) a
> hacker is trying to impersonate my own server on my DNS server and / or
> access my resources in Active Directory with IP mappings pointed to
> their server or 2) there is some MCSEr out there doing the same stuff
> as me with the same setups and my server and same namespace of
> "domain1.local", and in the process of querying other DNS servers, I
> was referred to this server as a member of my forest. My DNS server,
> with dynamic updates allowed and not seeming to know any better, allows
> this server to update it.
>
> I'm guessing the 2nd option seems much more likely but I'm not ruling
> out possibility #1 either. When I delete the A records, they reappear a
> few minues later. I went ahead and stopped the DNS service when I
> access the web now.
>
> Anyone have any idea if either of these scenarios is likely and if so,
> is there some backdoor or security setting I need to lock down that
> hasn't been locked down?
>

Re: DNS Weirdness
 

Oddly enough, it was making offsite queries for my domain name when I
examined a couple of NetMonitor packets while pinging my own server -
that and the fact that nslookup was not returning a proper domain name
for either host name or IP address led me to conclude that my Reverse
Lookup zone didn't contain proper PTR records so I went ahead and wiped
/ recreated that.

Also, my domain failed the netdiag LDAP test - meaning that it wasn't
able to start the Kerberos service. Analyzing the event viewer system
log, I drew the conclusion that this was due to the time server being
set to time.windows.com or whatever (something I may have
absentmindedly set prior to running DCPROMO). Setting my domain
controller as the domain time server with NET TIME /SETSNTMP fixed
that. May have been completely unrelated but I would think Keberos not
starting *would* potentially cause my Active Directory DNS zone to be a
little less secure.

Now that the netdiag test runs properly, I'm going to mess with it
later tonight and see if I still have issues.

Kurt wrote:
> Neither one of these sounds very likely. Name servers are registered
at the
> client by IP address (you ARE using private IP addresses, right?),
not
> hostname (since you can't look up the name until you locate a DNS
server).
> ".local" is not a legitimate public top level domain. Since your own
DNS
> server is the start of authority for "domain1.local", no offsite
queries
> will be made. What happens when you try to ping one of these hosts?
Can you
> provide an example of a foreign record?
>
> ...kurt