[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NT4 DNS Name Server is receiving bogus DNS cache root servers!

Posted on 2004-11-09
18
Medium Priority
?
432 Views
Last Modified: 2012-05-05
Hello Experts.. hope you can help.

This is not a simple one.
We have a company next door.. our ISP and they are an ISP for many customers.
Their main DNS server recently (since Sunday) has been receiving bogus cache entries for the .com and .net domains.
The main root servers for these cached zones are being entered into the name server wrong.. or rather replaced and the IP's of the sites are replaced.
The entries for the root-servers are ns1.thirdfloordoorsXX.com  where the XX changes from 01 to 06

So what happens is you type in msn.com and you get this site 218.234.22.221 because all the .com sites ip's have been replaced with ip's that point to it.
All of his customers are having this happen.
We found the only reference to this (thirdfloordoors.com) is some guy in england.

We do not have any idea how this is happening.
Virus and Spyware have been checked and double checked.
Windows updates are current.

Right now the ISP has taken down the main DNS and is running the secondary.
We are waiting to see if it gets infected like the first.
NS1.PTINETWORKS.NET
NS2.PTINETWORKS.NET

Please help ASAP!
0
Comment
Question by:kenmartenz
  • 11
  • 4
  • 2
17 Comments
 
LVL 2

Expert Comment

by:trymelatr
ID: 12536645
Could it be someone hacking in and changing them manually?  If you have auditing capabilities on the boxes...turn it on and see who/what logs in.

It might be good measure to reset all passwords, and disable unused accounts.  If you have checked fior viruses and spyware...then intrusion is a viable possibility.  Also...internal tampering.  Disgruntled employees....I've seen it...it happens a lot.
0
 

Author Comment

by:kenmartenz
ID: 12536652
Note: the IP address will not work for me..  use http://ns1.thirdfloordoors01.com to see the site
0
 

Author Comment

by:kenmartenz
ID: 12536679
I don't thing the manual thing is possible.. just the sheer quantity would take too much time.. (keep in mind he is an ISP so he's got like thousands of entries in cache in like 10 minutes).
Also it happens almost instantaneously.


Also he is doing DNS himself. But if he goes through his backbone providers DNS.. there is no problem... so we are pretty sure it is a problem with the box...  we think.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:kenmartenz
ID: 12536687
So far DNS server 2 has not been infected/taken over.
0
 

Author Comment

by:kenmartenz
ID: 12536706
Uhm.. also his employees are not doing this.. as there is only 3 of them 2 having the know-how.. and they are not doing it.
Also he is running a Unix DNS server..   not affected by this.
0
 

Author Comment

by:kenmartenz
ID: 12536749
Okay DNS box two just got infected / taken over now..  so it's not the box.. or at least both are infected with it.
0
 
LVL 2

Expert Comment

by:trymelatr
ID: 12536882
I am sure a script could be written to change the settings.  What type of boxes are they?  Do they have the latest security updates?
0
 

Author Comment

by:kenmartenz
ID: 12536947
They are windows NT4 servers..   all service packs and all windows update are installed.
0
 
LVL 2

Expert Comment

by:trymelatr
ID: 12537352
Are there any entries in the event log that stand out?  Has he turned on Auditing for security events? You can check what services or programs are running too. Maybe someone got a script to run.

Is the original one offline totally?
0
 

Author Comment

by:kenmartenz
ID: 12537373
At my last post the servers where restarted..  they are now infected..
So about 30mins to re-infection.
This happens repeatedly.
0
 

Author Comment

by:kenmartenz
ID: 12537398
Well NT4 does not have a DNS event log..  but the event log is normal otherwise.
It does not look like through audits there is anything out of the norm.

Both nameservers are up today.
0
 
LVL 2

Assisted Solution

by:trymelatr
trymelatr earned 500 total points
ID: 12537761
Those NS servers are supposedly know for being related to or allowing spammers.  Here is something I found...

http://www.joewein.de/sw/bl-log-2004-11-06.htm
0
 
LVL 4

Accepted Solution

by:
zookeepa1 earned 500 total points
ID: 12538113
It's been a moment since I've supported an NT40 DNS server but I seem to recall a secure update.  Meaning you could sent the server accept DNS updates from specific IP address only.  Also...based on the text above I'm not sure that the "attack" is happening from a customer or from an external source.  The setting, if I'm not confusing versions was on the DNS server itself with DNS manager.  

In any regard, could you modified the firewall to deny DNS traffic orginating from outside the firewall?
0
 

Author Comment

by:kenmartenz
ID: 12538700
Here's what I found out.
They can not modify the firewall because they act as an authoritative DNS for the websites they host.
So blocking outside requests would block their websites that they host.
They are also a hosting provider.

As far as just allowing updates from certain IP's they are looking into it to see if it's do-able.

They are also in the process of building another machine to see if it will not get "infected"
They are also getting a backup Unix server configured to act as DNS server.
0
 
LVL 4

Expert Comment

by:zookeepa1
ID: 12540500
(Stupid Question Alert) Have you confirmed that the NT permission have not be modified on the DNS server?  And secondly (Another stupid question)...WHy not make the DNS tabl read-only.

-Zoo
0
 

Author Comment

by:kenmartenz
ID: 12540532
Well interesting idea about locking down the table.. but in NT4 isn't in memory? How do you go about locking it down? I believe 2K and 2k3 have that support... but NT4?

Also what about Cache Poisoning?  I am running into this in my searches.
0
 

Author Comment

by:kenmartenz
ID: 12978458
I did find the solution myself finally down the road of Cache poisoning.

There is a way, unless you hack the registry in NT4, that DNS servers on the web can change the authoritative root servers on an NT4 server box. There is a registry setting which will turn off the functionality to allow other DNS servers to update these specific records.

We found that the DNS server ns1.thirdfloordoorsXX.com hosted an number of sites and upon ANY client connecting through NS1.PTINETWORKS.NET
NS2.PTINETWORKS.NET
the authoritative root servers would be re-wrote.
Once we found the registry setting, turned it on, rebooted, he was no longer able to get "poisoned"

If anyone needs more information on this just let me know.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question