Solved

Domain name service - Need help

Posted on 1998-05-31
8
240 Views
Last Modified: 2010-04-21
    I need help.   Our network has become inaccessible by telnet and we are also having difficulty sending out email.  The symptoms follow a pattern shown when on May 18 of this year when 'DNS was hosed' according to our system administrator.
     Well, he is on vacation and folks are going to ask me to 'unhose DNS'.   Can someone give me some advice on how to discern what is wrong and how to put the network back in order if it is indeed the Domain name service.
     Thanks.
0
Comment
Question by:bwsaul
8 Comments
 
LVL 2

Expert Comment

by:kellyjj
ID: 2007313
Insert 6 sticks of dynamite inside case.   Take match and light.  Please leave room.  =]
0
 

Author Comment

by:bwsaul
ID: 2007314
    The problem seems to be with getting a sunos 4.1.3 machine to properly run an in.named daemon.   I killed the old process and invoked a new daemon.   But this does not seem to have solved the problem.
     Blowing up the system is not an option(Gee thanks, Kellyj).
0
 
LVL 2

Expert Comment

by:kellyjj
ID: 2007315
ahhh man,  you mean I don't get the points??!!??  hehehehe.  I hope someone knows how to fix this.  
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2007316
If DNS is your problem, you need to disable (kill named) on any host, not only the server(s). Then you must reinstall your /etc/{hosts,networks} on all those hosts (if your admin left these files as they were befor starting DNS, you're lucky)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:m4rc
ID: 2007317
what are the symptoms?  can u use nslookup from the servers and hosts to see if the right info is going out, and check the settings on the servers (yeah, vague, i know, but u can use it to connect to name servers and get all kinds of info.  you know, nslookup, then set type=NS, ., and so on.)
0
 
LVL 1

Expert Comment

by:zonker031798
ID: 2007318
Let's get some more details.

1. What OS are you running on all the affected machines?

2. Are you using NIS?  If so, has it been configured to roll
unasnwered queries from NIS over to DNS?

3. Are you on a subnet?  Behind a firewall?

4. Can you verify  that your network is routing correctly?
(In other words, if you supply IP addresses to applications
such as ping and telnet, do they work?)

5. What DNS server software are you using?  What version?

6. Are you able to reach hosts external to your network
by IP?  by hostname?


0
 
LVL 1

Expert Comment

by:turnkey
ID: 2007319
bwsaul:

What is the IP address of your DNS server?

What is your company's domain name?

I will look at your DNS records (using nslookup and DNS_Boss) to help you troubleshoot the problems.  Also, before I check out your system, I need to be sure that you are running BIND (in.named) [command:  ps -ef | grep named] on your server and if so, which version.  Secondly, I need to know if your DNS server is behind a firewall.  This is usually NOT the case, but could greatly affect the DNS zone transfers.

What OS are the clients running?  MacOS, UNIX, NT, WFW3.11, etc.?

Can you ping an IP address from a client workstation?

Can you ping a hostname address from a client workstation?

Is the problem isolated to certain workstations on the LAN or is it a widespread problem?

Please let me know these answers so that we can get this resolved.

Regards,
David (a.k.a turnkey)
0
 

Accepted Solution

by:
obkb earned 100 total points
ID: 2007320
There are two families of BIND, BIND 4.X and BIND 8.X. Most of the vendor supplied
DNS executables are based on the Vix BIND 4.X, consequently most of the older
machines only have resolver libraries capable of communicating with BIND 4.X servers.
There is also a change of resolver protocols somewhere in the 4.X line, can't remember
where at the moment but needless to say many of the older Unix flavours such as SunOS 4.1.X will have trouble if the DNS server gets upgraded.

The date of your question seem suspicious. Around that time hundreds of sites were hacked into by hackers using a hack kit that exploited a buffer over-run condition in BIND. The CERT advisories recommended upgrading to the latest respective versions of BIND at the time and in truth, that's still the best answer as many vendors have yet to provide suitable patches.

I would first ask, if you are relying on a DNS server maintained by somebody else ie.: does your /etc/resolv.conf file point to a DNS server that is not maintained by you? If so, there is the chance that they have upgraded their DNS in order to address the security issues of the time and are no longer compatible with your resolvers. You may be able to co-ordinate with them to build a set of resolver libraries that are compatible but then you would also have to recompile the applications with the new libraries (on SunOS, one usually just cheats and rebuild only NIS rather than all the itsy bitsy programs like telnet and ping). Mind you, you can't recompile if you don't have the source code license.

You may want to just point your resolvers to somebody who's still running an old and hence insecure DNS server to see if your problem is the incompatibility between your resolver and whatever the version of BIND you are trying to use. Since I have a lot of old decrepited junk behind the firewall, I run one DNS server still in the plain vanilla vendor BIND. Of course, it's secured by running it in a chroot area so any hackers breaking in could not do any damage nor get any functionality to attack another site and we have scripts sampling the packets that fly by for traces of the hack kit so that we would have something to at least start a trace of the hacker should they attack. We may not be able to catch them on the first try but if they are persistent... (on another note, the hacker attacks stopped when I emailed the security officer about the counter measures in unencrypted text). Anyways, you can temporarily point your /etc/resolv.conf file to my server to test if the resolver incompatibilities is your problem, you'll have to arrange the exchange of IP addresses in private email with me if you want to do this.

I'll be away for the weekend but you can send me email at jwang@cs.uh.edu if you want to give it a try.

If the DNS server is one of your machines and not someone else's then I would highly recommend that you get the CERT intrusion detection checklist and check your DNS server for indications of a break-in. One thing to do is to check to see if there is a core file left by a dying named executable (one of the side effects of brute force buffer over runs). Often the core file will be left in the directory /var/named. If you find one, copy it to a system that's less likely to have been compromised (you may want to reload a system or at least the tools and libraries you wish to use) and do a "strings" command on the corefile. Look for things like references to /etc/passwd and for attempts to establish interactive sessions like "xterm -display X.X.X.X". If you see them, your named executable core dumped because the buffer overflow scrambled it's code in memory. You could probably just restart it to be functional again but if the hacker hasn't already broken into your site successfully, he/she will just overflow the buffer till the scrambled code executes one of the instructions he/she is feeding it to either establish the interactive session or sneak in a back door into the passwd file. If you want to restart it, look for the named startup syntax in your rc files, it'll probably read something like "in.named -f /etc/named.boot" but may have been customized for your site. Do a "find /etc/rc* -type f -exec grep named {}\; -ls" to find the line.

If you are receiving attacks on your BIND, you may want to establish a chroot jail cell for the named executable to run in. You would need to populate the chroot area with all the files that named needs and nothing else (sometimes it's fun to throw in a fake /etc/passwd file with tons of hard to crack bogus passwords so that the hackers spend days running crack on their home PC's). To figure out what you need to populate the jail cell with, use truss and ldd.

I think that since you've had a working DNS before, then it's most likely that your problem is either the resolver compatibility scenario where someone changed the services out from under you or the hacker causing your named executable to core dump problem (this would coincide with the time frame of your posting). Still an experienced sysadmin could glance over your DNS configuration files for obvious mistakes if you send them the files. Try to find someone else to look at them, I'm pretty swamped, but if you can't find anyone...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now