• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

How to find out if nameserver is legit

So I basically hit a website by mistake that had a ton of active x controls. viruses and spyware on it. I spent a good while using verious spyware removal tools and my virus scan to remove them. Plus I created a new profile and deleted the corrupt one in windows xp pro.

Anyways. I was checking the dns Servers my ISP is handing out ot me.  Are there any sites on the Internet to find out if the DNS servers you are pointed to are legit?  I'm just wondering if my arp has been poisoned by the viruses or something els is going on. I tired calling my ISP tech support but the help desk is clueless.
3 Solutions
>  I'm just wondering if my arp has been poisoned
arp doesn't matter here 'cause it only handles IPs in the same logical subnet

> ..  if the DNS servers you are pointed to are legit?
if you doubt that your ISP is reliable, change it.
Rich RumbleSecurity SamuraiCommented:
You can use a program like ethereal to see if your getting responses from the servers, as far as legitmiacy goes, the helpdesk should know the ip's of their NS's... you can query other ns's if you want. If a NS has port 53 open and is serving DNS, then it's probably ok, but as of late there has been a bunch of NS posioning about http://isc.sans.org/presentations/dnspoisoning.php and your also correct to suspect spyware as messing with your responses, as there are many that do. If your using XP or winME, turn off system restore, then use AV and or AS (anti-spyware) to get rid of them perminatly: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
While I wouldn't be surprised to see a virus that changes your name server to something that just serves bogus info, typically, you'll just have your host file populated with a bunch of fun stuff.

To check, browse to:  C:\WINDOWS\system32\drivers\etc and check each of the host files, unless you have gone in and edited the host file, you should only have one entry which should look like localhost

If you see a lot of bogus entries, maybe entries for Symantec, AVG, and other popular antivirus/anti-malware companies, then just delete them.

If you think your name server might be bogus, just to some nslookups against it, and post the results here as a comment, and then have the rest of us compare our responses, if 3 people get the same response you get, then there is a good chance that your NS is fine.

To do a lookup against your name server, go to a command prompt, type nslookup, and then type www.symantec.com, then post the results.  Do this for a few different domains that would most likely be targeted.  

Is there any thing you're seeing that makes you think you may still be infected?
Ron MalmsteadInformation Services ManagerCommented:

run a speed test...It will show you your ISP, and you can compare your speed to other users on the same isp...additionally it will provide information about the Primary and Secondary DNS servers for your C-lec.

It won't be on the first page, but you poke around a little it's in there.....

Or you could just call your ISP and ask them....it's not top secret.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now