NT4 DNS Name Server is receiving bogus DNS cache root servers!

Hello Experts.. hope you can help.

This is not a simple one.
We have a company next door.. our ISP and they are an ISP for many customers.
Their main DNS server recently (since Sunday) has been receiving bogus cache entries for the .com and .net domains.
The main root servers for these cached zones are being entered into the name server wrong.. or rather replaced and the IP's of the sites are replaced.
The entries for the root-servers are ns1.thirdfloordoorsXX.com  where the XX changes from 01 to 06

So what happens is you type in msn.com and you get this site 218.234.22.221 because all the .com sites ip's have been replaced with ip's that point to it.
All of his customers are having this happen.
We found the only reference to this (thirdfloordoors.com) is some guy in england.

We do not have any idea how this is happening.
Virus and Spyware have been checked and double checked.
Windows updates are current.

Right now the ISP has taken down the main DNS and is running the secondary.
We are waiting to see if it gets infected like the first.
NS1.PTINETWORKS.NET
NS2.PTINETWORKS.NET

Please help ASAP!
kenmartenzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

trymelatrCommented:
Could it be someone hacking in and changing them manually?  If you have auditing capabilities on the boxes...turn it on and see who/what logs in.

It might be good measure to reset all passwords, and disable unused accounts.  If you have checked fior viruses and spyware...then intrusion is a viable possibility.  Also...internal tampering.  Disgruntled employees....I've seen it...it happens a lot.
0
kenmartenzAuthor Commented:
Note: the IP address will not work for me..  use http://ns1.thirdfloordoors01.com to see the site
0
kenmartenzAuthor Commented:
I don't thing the manual thing is possible.. just the sheer quantity would take too much time.. (keep in mind he is an ISP so he's got like thousands of entries in cache in like 10 minutes).
Also it happens almost instantaneously.


Also he is doing DNS himself. But if he goes through his backbone providers DNS.. there is no problem... so we are pretty sure it is a problem with the box...  we think.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

kenmartenzAuthor Commented:
So far DNS server 2 has not been infected/taken over.
0
kenmartenzAuthor Commented:
Uhm.. also his employees are not doing this.. as there is only 3 of them 2 having the know-how.. and they are not doing it.
Also he is running a Unix DNS server..   not affected by this.
0
kenmartenzAuthor Commented:
Okay DNS box two just got infected / taken over now..  so it's not the box.. or at least both are infected with it.
0
trymelatrCommented:
I am sure a script could be written to change the settings.  What type of boxes are they?  Do they have the latest security updates?
0
kenmartenzAuthor Commented:
They are windows NT4 servers..   all service packs and all windows update are installed.
0
trymelatrCommented:
Are there any entries in the event log that stand out?  Has he turned on Auditing for security events? You can check what services or programs are running too. Maybe someone got a script to run.

Is the original one offline totally?
0
kenmartenzAuthor Commented:
At my last post the servers where restarted..  they are now infected..
So about 30mins to re-infection.
This happens repeatedly.
0
kenmartenzAuthor Commented:
Well NT4 does not have a DNS event log..  but the event log is normal otherwise.
It does not look like through audits there is anything out of the norm.

Both nameservers are up today.
0
trymelatrCommented:
Those NS servers are supposedly know for being related to or allowing spammers.  Here is something I found...

http://www.joewein.de/sw/bl-log-2004-11-06.htm
0
zookeepa1Commented:
It's been a moment since I've supported an NT40 DNS server but I seem to recall a secure update.  Meaning you could sent the server accept DNS updates from specific IP address only.  Also...based on the text above I'm not sure that the "attack" is happening from a customer or from an external source.  The setting, if I'm not confusing versions was on the DNS server itself with DNS manager.  

In any regard, could you modified the firewall to deny DNS traffic orginating from outside the firewall?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kenmartenzAuthor Commented:
Here's what I found out.
They can not modify the firewall because they act as an authoritative DNS for the websites they host.
So blocking outside requests would block their websites that they host.
They are also a hosting provider.

As far as just allowing updates from certain IP's they are looking into it to see if it's do-able.

They are also in the process of building another machine to see if it will not get "infected"
They are also getting a backup Unix server configured to act as DNS server.
0
zookeepa1Commented:
(Stupid Question Alert) Have you confirmed that the NT permission have not be modified on the DNS server?  And secondly (Another stupid question)...WHy not make the DNS tabl read-only.

-Zoo
0
kenmartenzAuthor Commented:
Well interesting idea about locking down the table.. but in NT4 isn't in memory? How do you go about locking it down? I believe 2K and 2k3 have that support... but NT4?

Also what about Cache Poisoning?  I am running into this in my searches.
0
kenmartenzAuthor Commented:
I did find the solution myself finally down the road of Cache poisoning.

There is a way, unless you hack the registry in NT4, that DNS servers on the web can change the authoritative root servers on an NT4 server box. There is a registry setting which will turn off the functionality to allow other DNS servers to update these specific records.

We found that the DNS server ns1.thirdfloordoorsXX.com hosted an number of sites and upon ANY client connecting through NS1.PTINETWORKS.NET
NS2.PTINETWORKS.NET
the authoritative root servers would be re-wrote.
Once we found the registry setting, turned it on, rebooted, he was no longer able to get "poisoned"

If anyone needs more information on this just let me know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.