Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computer Certification > MCSE > DNS Weirdness

Reply
Thread Tools

DNS Weirdness

 
 
blastingfonda
Guest
Posts: n/a
 
      03-07-2005
I've been going through the MS Press's book for the 70-291 test,
setting up few Windows 2k3 DNS servers. Per the book's instructions,
I've set up a primary DNS server with a zone called domain1.local with
access to the web, and this zone is Active-Directory Integrated and
only secure dynamic updates are allowed.

Well, upon selecting these features and doing some exercises that
involved nslookups, I suddenly noticed strange A records with foreign
external IP addresses popping up in my domain1.local zone. These A
records corresponded to a server name with the same name as mine in
similarly titled "domain1.local" namespaces. They appear in both the
root and in the DomainDnsZones and ForestDnsZones subfolders.

To me, one of two things is occuring, neither of them good - 1) a
hacker is trying to impersonate my own server on my DNS server and / or
access my resources in Active Directory with IP mappings pointed to
their server or 2) there is some MCSEr out there doing the same stuff
as me with the same setups and my server and same namespace of
"domain1.local", and in the process of querying other DNS servers, I
was referred to this server as a member of my forest. My DNS server,
with dynamic updates allowed and not seeming to know any better, allows
this server to update it.

I'm guessing the 2nd option seems much more likely but I'm not ruling
out possibility #1 either. When I delete the A records, they reappear a
few minues later. I went ahead and stopped the DNS service when I
access the web now.

Anyone have any idea if either of these scenarios is likely and if so,
is there some backdoor or security setting I need to lock down that
hasn't been locked down?

 
Reply With Quote
 
 
 
 
Kurt
Guest
Posts: n/a
 
      03-07-2005

Neither one of these sounds very likely. Name servers are registered at the
client by IP address (you ARE using private IP addresses, right?), not
hostname (since you can't look up the name until you locate a DNS server).
".local" is not a legitimate public top level domain. Since your own DNS
server is the start of authority for "domain1.local", no offsite queries
will be made. What happens when you try to ping one of these hosts? Can you
provide an example of a foreign record?

....kurt

"blastingfonda" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> I've been going through the MS Press's book for the 70-291 test,
> setting up few Windows 2k3 DNS servers. Per the book's instructions,
> I've set up a primary DNS server with a zone called domain1.local with
> access to the web, and this zone is Active-Directory Integrated and
> only secure dynamic updates are allowed.
>
> Well, upon selecting these features and doing some exercises that
> involved nslookups, I suddenly noticed strange A records with foreign
> external IP addresses popping up in my domain1.local zone. These A
> records corresponded to a server name with the same name as mine in
> similarly titled "domain1.local" namespaces. They appear in both the
> root and in the DomainDnsZones and ForestDnsZones subfolders.
>
> To me, one of two things is occuring, neither of them good - 1) a
> hacker is trying to impersonate my own server on my DNS server and / or
> access my resources in Active Directory with IP mappings pointed to
> their server or 2) there is some MCSEr out there doing the same stuff
> as me with the same setups and my server and same namespace of
> "domain1.local", and in the process of querying other DNS servers, I
> was referred to this server as a member of my forest. My DNS server,
> with dynamic updates allowed and not seeming to know any better, allows
> this server to update it.
>
> I'm guessing the 2nd option seems much more likely but I'm not ruling
> out possibility #1 either. When I delete the A records, they reappear a
> few minues later. I went ahead and stopped the DNS service when I
> access the web now.
>
> Anyone have any idea if either of these scenarios is likely and if so,
> is there some backdoor or security setting I need to lock down that
> hasn't been locked down?
>



 
Reply With Quote
 
 
 
 
blastingfonda
Guest
Posts: n/a
 
      03-08-2005
Oddly enough, it was making offsite queries for my domain name when I
examined a couple of NetMonitor packets while pinging my own server -
that and the fact that nslookup was not returning a proper domain name
for either host name or IP address led me to conclude that my Reverse
Lookup zone didn't contain proper PTR records so I went ahead and wiped
/ recreated that.

Also, my domain failed the netdiag LDAP test - meaning that it wasn't
able to start the Kerberos service. Analyzing the event viewer system
log, I drew the conclusion that this was due to the time server being
set to time.windows.com or whatever (something I may have
absentmindedly set prior to running DCPROMO). Setting my domain
controller as the domain time server with NET TIME /SETSNTMP fixed
that. May have been completely unrelated but I would think Keberos not
starting *would* potentially cause my Active Directory DNS zone to be a
little less secure.

Now that the netdiag test runs properly, I'm going to mess with it
later tonight and see if I still have issues.

Kurt wrote:
> Neither one of these sounds very likely. Name servers are registered

at the
> client by IP address (you ARE using private IP addresses, right?),

not
> hostname (since you can't look up the name until you locate a DNS

server).
> ".local" is not a legitimate public top level domain. Since your own

DNS
> server is the start of authority for "domain1.local", no offsite

queries
> will be made. What happens when you try to ping one of these hosts?

Can you
> provide an example of a foreign record?
>
> ...kurt


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS query to internal DNS server from static NAT host none Cisco 5 04-25-2006 03:11 AM
DNS query from outside to internal, public DNS server Lars Bonnesen Cisco 9 04-08-2006 11:16 AM
IHUG DNS weirdness Stu Fleming NZ Computing 5 10-15-2005 09:53 AM
Tkinter WEIRDNESS or Python WEIRDNESS? steve Python 4 03-13-2005 12:34 AM
DNS question - reverse DNS getting cluttered Jose Padilla Computer Support 0 01-21-2004 10:29 PM



Advertisments