NT4 DNS Name Server is receiving bogus DNS cache root servers!
Posted on 2004-11-09
Hello Experts.. hope you can help.
This is not a simple one.
We have a company next door.. our ISP and they are an ISP for many customers.
Their main DNS server recently (since Sunday) has been receiving bogus cache entries for the .com and .net domains.
The main root servers for these cached zones are being entered into the name server wrong.. or rather replaced and the IP's of the sites are replaced.
The entries for the root-servers are ns1.thirdfloordoorsXX.com where the XX changes from 01 to 06
So what happens is you type in msn.com and you get this site 18.104.22.168 because all the .com sites ip's have been replaced with ip's that point to it.
All of his customers are having this happen.
We found the only reference to this (thirdfloordoors.com) is some guy in england.
We do not have any idea how this is happening.
Virus and Spyware have been checked and double checked.
Windows updates are current.
Right now the ISP has taken down the main DNS and is running the secondary.
We are waiting to see if it gets infected like the first.
Please help ASAP!