Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

DNS records changed with out an explanation causing problems with email

Hi,

Here is a curve ball (at least for me it is). We stopped receiving outside emails yesterday night but did not know about it until this morning. Nor could we access our webmail account or our plesk sites to put forwards or auto replies ect. We use a hosting service for our emails which uses linux and qmail on a VPS. I narrowed the problem down to be a DNS issue since nslookup did not return any records. I called their support department who said the same thing. We have had them for at least 7 years and they were (according to what I understood for 7 years) our DNS provider for that domain/email. They claim that the DNS was hosted by someone I had never heard of and asked me to go to the registrar to point have them point to our DNS service. Well, the registrar did not host our DNS, some weird company did according to them. That company was owned by the same people that are hosting our email. When I called them back they said that our account was suspended with the DNS provider and they did not know why. They claim their company sold off zones years ago and that even though the IP addresses were registered to them and showed up in ARIN to be theirs that a customer of their was using them and selling DNS service to us. I reminded them that we never had DNS service thru an outside entity for that server and that maybe they contracted the other company on our behalf or to provide the service as part of our package. The company they gave me no longer exists and the site listed in ARIN forwards to another site. They got tier to involved who with hundreds of records showed that it was a DNS issue which I already knew. The company that it redirects to has a website and under contact us their data center is listed with the exact same address as the email hosting provider! Anyway I contacted them and based on the info I provided in my email they found that the IP address I gave them did not match what they had and they had to rebuild our zone file with that IP address. No one has been able to explain how we got our DNS to be hosted by an outside company (allegedly), how our account had been suspended (allegedly) and most importantly how a DNS record point us to another hotel replaced our DNS records!!! I think I would have better luck asking a random person in the street for help than contacting their support. I know the guy who had been helping was lying about a few things so I did not feel like asking him anything further. But is there anyway to see which company changed our DNS records causing email issues? Since they said to contact the registrar and they did not provide us with DNS and when I called they offered it to me I went for it. ARIN shows our records as being updated today but had not seen any changes before that.Is there any way to call them out on who made changes? Could we have been compromised but why would the only thing they do is change where our DNS points to? I have not logged into the server because I don't want the logs to show my entry but only two IP addresses normally appear there, ours and the hosting provider. Again, I did not want to ask the same "illustrious" person that had me running around calling 3 different companies when it was a change in DNS setting from a provider I had never heard of who's address is the same as the hosting service. Needless to say, I will be moving everything over with the registrar.

Ahhh any insight  or any commands I can throw in Linux to look into this would be helpful as I only know the very basics in Linux.

Thanks
0
kaosmadness
Asked:
kaosmadness
  • 5
  • 3
  • 2
  • +1
1 Solution
 
AegilCommented:
dig ns domain.com


would give

domain.com  IN NS ns1.dnsprovider.co.uk
this will show who your name servers are with. Your DNS records will be configured at this provider.

host ns.dnsprovider.co.uk   will give an ip
ns.dnsprovider.co.uk  1.2.3.4
then do whois 1.2.3.4 ( where is the ip of the dns server)

whois dnsprovider.co.uk


The whois information from both these checks should give you information as to where your dns is being hosted. That company should be able to tell you what happened with your dns records. If you give me the domain name I can do more checks and tell you where to look. However if your DNS is being managed by a third party it might be better you transferring it somewhere you have control of all the DNS records and that you know fully how to manage your account.
0
 
kaosmadnessAuthor Commented:
Thank you. They lead me to that company that no longer exists and redirects to someone else who helped me. But what I wanted to see is what it was before, and when it was changed. Tough question, I know. I might just have to wait until tomorrow to talk to someone who's IQ is bigger than their shoe size at the hosting provider. Do you know anything I can run if I log in to the server as root? Any log that might point out who it was doing DNS look ups with?
0
 
AegilCommented:
DNS records expire and its likely the records are gone. I would check with your domain registrar ( the one you pay for the domains renewal) to see if the nameservers have been changed in the last few days. They should have some form of log of that. If that hasnt changed then its just a case of chasing things up with the 3rd party that it all traces back to.

 I would look at moving your DNS to either your server or your domain registrar. Most have DNS management panels where you can replicate all your DNS settings, then move the name servers to them and it will remove the third party completely. Especially if they are unsure what actually happened with your domain and dont know why it went down.  I think its really gonna be a case of hounding them on the phones to find out what actually went wrong but best advice is just do an audit where everything is managed and move it somewhere central you can control yourself.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
kaosmadnessAuthor Commented:
Thank you. I am way ahead of you on that one. Again their support was awful to say the least and it went from it a registrar problem call them, to its a dns issue call your provider, to we just talked to them and your account is suspended and we don't know why, to yeah we sold off that IP address to customers that provided you with DNS but apparently no longer do to the fact that there was a misconfiguration on our zone file. The only other possible thought that crosses my mind is that when I google the IP address that they had (in error i think) seems to pull up records of our corporate company. Lets say we are the COMPANYlosanageles.com because we are a franchise of the COMPANY. We have our website as COMPANYlosangels.com and we don't use our site since their franchise rules are really hard to keep up with unless you have a dedicated webmaster so our website's URL redirects to COMANY.com/losangeles (btw i don't work in a LA, thats  a per se). So google keeps on matching that IP they had which did not work to COMPANY.com but also to us, actually mainly to us, so maybe they had the right address but COMPANY.com made some change??? But if the site it was redirecting to was bad, it would be just that and would not affect our email unless they did something else.... IDK.
0
 
AlanConsultantCommented:
Hi,

I would just pull your DNS hosting and put it with someone you know / trust.

I personally like to keep my domain registration and DNS together, but never have anything else with them (web hosting, email hosting etc are always with someone else).

Once you have the DNS hosting wherever you move it to, you can setup whatever records you need.

Changing hosts takes me about 20 mins usually.  Setting up records could be 10 mins or much longer depending on what you need, but within an hour or so you should be up and running on your new host.  All you have to do then is wait for propogation to take place - normally 12 hours max for 'local' propogation and up to 48 hours globally.

HTH,

Alan.
0
 
ee_reachCommented:
You definitely want to get your DNS under your own management.  One of my clients had a similar problem.  It was a nightmare.  And no one would own up to the problem - or take responsibility for getting it sorted out - let alone any history of how they had gotten there.

Eventually he got frustrated and moved his hosting to my company, where I personally could control  any/all DNS changes associated with his account.

Not sure where you are located, but I am in Southern California.  Give me a shout if you need any help.  You can reach me through the Profile->Hire Me->Contact Me links.

Kind regards,

ee_reach
0
 
kaosmadnessAuthor Commented:
Thanks for the advice! But there is no way for me to get any records from any source on how this happened? Or when so I can hint that maybe the COMPANY made  a mistake, it appears that they are changing our website globally to a new brand standard and most of their addresses are managed by them so maybe they thought we were too and updated us by accident. Our website is supposed to redirect to the website they created and they at some point wanted to have us give them our domain but we know it would be very valuable so we declined and agreed to simply redirect traffic rather than give them our domain. I would love to prove them to be wrong. What log in our server would you guys be looking at? I know our server does not have the DNS records but maybe there was a record on what they were before or what IPs it accessed to do resolutions???

Thanks again!
0
 
ee_reachCommented:
Here's a thread about historical data.  
http://www.webhostingtalk.com/showthread.php?t=496345

Granted, the thread is five yrs old, but whois.sc still exists, so maybe you will be able to get what you need from them as described in the previous thread.
http://www.whois.sc

0
 
kaosmadnessAuthor Commented:
Thank you kindly, Any digital forensic tips on the server side???
0
 
AegilCommented:
What is it you are trying to find on the server?

I thought the dns was always elsewhere in which case you wouldn't find anything on the server you have access to yourself?

0
 
kaosmadnessAuthor Commented:
Thanks everyone!!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now