• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2462
  • Last Modified:

DNS Attempting to contact iana.org

I am running a Windows Server 2003 native domain.  All of my domain controllers are Windows Server 2003 Enterprise R2 x32 with all the latest security updates installed.

I noticed in my Sidewinder firewall reports that one of my domain controllers is consistently attempting to go out to the following ip addresses.  The sidewinder only allows dns out to the internet from two other of my domain controllers.  I have changed the forwarders on all the other dns servers to point to these two servers and have allowed traffic out on the sidewinder from these two servers.
 
The sidewinder blocks dns requests to port 53 from one server 24/7 for the following dstip addresses:
 
Destination                           Port      Count      %Count
192.175.48.42      53      2140      21.2872%
192.175.48.6                           53      2140      21.2872%
192.175.48.1        53      1283      12.7624%
 
All three of these addresses are from iana.org, as you can see from the following links.
 
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.42
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.6
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.1

Any ideas what I should do to prevent this?  I have looked around and have found that it may be linked to a reverse lookup zone setup incorrectly.

Thanks!
0
engstromr
Asked:
engstromr
  • 3
  • 2
1 Solution
 
jar3817Commented:
Those three servers handle dns related requests for non-routable IPs (10.0.0.0/8, 192.168.0.0/16, etc). It looks like you need to setup reverse zones (.in-addr.arpa) for your private address space. That way when your workstations try to register themselves in DNS, the requests go to your DCs rather than getting fowarded to IANA's blackhole servers over the internet.

http://support.microsoft.com/kb/259922 
(prisoner.iana.org maps to 192.175.48.1)
0
 
engstromrAuthor Commented:
From what I understand, I have reverse zones setup for each of my subnets.  Attached is a screen shot.  Is there something else that needs to be done?  I inherited this network a couple years back.  We never really monitored what was going out until we recently got our Sidewinder.  Previously, everything was allowed out so it is possible something has been misconfigured for quite some time.
dns.bmp
0
 
engstromrAuthor Commented:
It looks like may have missed setting up a couple reverse lookup zones on my network.  I recently added a couple extra dhcp scopes when I added wireless to my network.  I did not have reverse lookup zones added for the new scopes.  The attacks have stopped.  I will check the reports tomorrow to be sure, but this makes sense.
0
 
jar3817Commented:
I was just going to ask you if you added any new scopes when I got to work. Glad it looks like it's figured out
0
 
engstromrAuthor Commented:
The reports did not have this server listed under the attacks.  I am also not seeing any attacks when I audit in real-time.  I can't believe I overlooked this when creating the new scopes!  Thanks for the help!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now