DNS Weirdness

Discussion in 'MCSE' started by blastingfonda, Mar 7, 2005.

  1. I've been going through the MS Press's book for the 70-291 test,
    setting up few Windows 2k3 DNS servers. Per the book's instructions,
    I've set up a primary DNS server with a zone called domain1.local with
    access to the web, and this zone is Active-Directory Integrated and
    only secure dynamic updates are allowed.

    Well, upon selecting these features and doing some exercises that
    involved nslookups, I suddenly noticed strange A records with foreign
    external IP addresses popping up in my domain1.local zone. These A
    records corresponded to a server name with the same name as mine in
    similarly titled "domain1.local" namespaces. They appear in both the
    root and in the DomainDnsZones and ForestDnsZones subfolders.

    To me, one of two things is occuring, neither of them good - 1) a
    hacker is trying to impersonate my own server on my DNS server and / or
    access my resources in Active Directory with IP mappings pointed to
    their server or 2) there is some MCSEr out there doing the same stuff
    as me with the same setups and my server and same namespace of
    "domain1.local", and in the process of querying other DNS servers, I
    was referred to this server as a member of my forest. My DNS server,
    with dynamic updates allowed and not seeming to know any better, allows
    this server to update it.

    I'm guessing the 2nd option seems much more likely but I'm not ruling
    out possibility #1 either. When I delete the A records, they reappear a
    few minues later. I went ahead and stopped the DNS service when I
    access the web now.

    Anyone have any idea if either of these scenarios is likely and if so,
    is there some backdoor or security setting I need to lock down that
    hasn't been locked down?
     
    blastingfonda, Mar 7, 2005
    #1
    1. Advertising

  2. blastingfonda

    Kurt Guest

    Neither one of these sounds very likely. Name servers are registered at the
    client by IP address (you ARE using private IP addresses, right?), not
    hostname (since you can't look up the name until you locate a DNS server).
    ".local" is not a legitimate public top level domain. Since your own DNS
    server is the start of authority for "domain1.local", no offsite queries
    will be made. What happens when you try to ping one of these hosts? Can you
    provide an example of a foreign record?

    ....kurt

    "blastingfonda" <> wrote in message
    news:...
    > I've been going through the MS Press's book for the 70-291 test,
    > setting up few Windows 2k3 DNS servers. Per the book's instructions,
    > I've set up a primary DNS server with a zone called domain1.local with
    > access to the web, and this zone is Active-Directory Integrated and
    > only secure dynamic updates are allowed.
    >
    > Well, upon selecting these features and doing some exercises that
    > involved nslookups, I suddenly noticed strange A records with foreign
    > external IP addresses popping up in my domain1.local zone. These A
    > records corresponded to a server name with the same name as mine in
    > similarly titled "domain1.local" namespaces. They appear in both the
    > root and in the DomainDnsZones and ForestDnsZones subfolders.
    >
    > To me, one of two things is occuring, neither of them good - 1) a
    > hacker is trying to impersonate my own server on my DNS server and / or
    > access my resources in Active Directory with IP mappings pointed to
    > their server or 2) there is some MCSEr out there doing the same stuff
    > as me with the same setups and my server and same namespace of
    > "domain1.local", and in the process of querying other DNS servers, I
    > was referred to this server as a member of my forest. My DNS server,
    > with dynamic updates allowed and not seeming to know any better, allows
    > this server to update it.
    >
    > I'm guessing the 2nd option seems much more likely but I'm not ruling
    > out possibility #1 either. When I delete the A records, they reappear a
    > few minues later. I went ahead and stopped the DNS service when I
    > access the web now.
    >
    > Anyone have any idea if either of these scenarios is likely and if so,
    > is there some backdoor or security setting I need to lock down that
    > hasn't been locked down?
    >
     
    Kurt, Mar 7, 2005
    #2
    1. Advertising

  3. Oddly enough, it was making offsite queries for my domain name when I
    examined a couple of NetMonitor packets while pinging my own server -
    that and the fact that nslookup was not returning a proper domain name
    for either host name or IP address led me to conclude that my Reverse
    Lookup zone didn't contain proper PTR records so I went ahead and wiped
    / recreated that.

    Also, my domain failed the netdiag LDAP test - meaning that it wasn't
    able to start the Kerberos service. Analyzing the event viewer system
    log, I drew the conclusion that this was due to the time server being
    set to time.windows.com or whatever (something I may have
    absentmindedly set prior to running DCPROMO). Setting my domain
    controller as the domain time server with NET TIME /SETSNTMP fixed
    that. May have been completely unrelated but I would think Keberos not
    starting *would* potentially cause my Active Directory DNS zone to be a
    little less secure.

    Now that the netdiag test runs properly, I'm going to mess with it
    later tonight and see if I still have issues.

    Kurt wrote:
    > Neither one of these sounds very likely. Name servers are registered

    at the
    > client by IP address (you ARE using private IP addresses, right?),

    not
    > hostname (since you can't look up the name until you locate a DNS

    server).
    > ".local" is not a legitimate public top level domain. Since your own

    DNS
    > server is the start of authority for "domain1.local", no offsite

    queries
    > will be made. What happens when you try to ping one of these hosts?

    Can you
    > provide an example of a foreign record?
    >
    > ...kurt
     
    blastingfonda, Mar 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bonnesen
    Replies:
    9
    Views:
    7,247
    chris
    Apr 8, 2006
  2. none
    Replies:
    5
    Views:
    3,181
  3. Jose Padilla

    DNS question - reverse DNS getting cluttered

    Jose Padilla, Jan 21, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    584
    Jose Padilla
    Jan 21, 2004
  4. Replies:
    1
    Views:
    1,070
    Rohan
    Nov 18, 2006
  5. Stu Fleming

    IHUG DNS weirdness

    Stu Fleming, Oct 15, 2005, in forum: NZ Computing
    Replies:
    5
    Views:
    553
    Mark Robinson
    Oct 15, 2005
Loading...

Share This Page