> Hi I was wondering if anyone can help me out with an odd dns problem I'm > having. For some reason our DNS appears to be getting corrupted and > random sites resolve to the following ip address: 212.69.172.16 which is > a webpage that says just the following text: ... > Our DNS servers are running win2k DNS. Upon looking at the event viewer > I'm getting a lot of messages saying "event id: 5504, The DNS server > encountered an invalid domain name in a packet from x.x.x.x. The packet > is rejected." It seems as though I'm being attacked and someone may be > messing with my DNS cache. How, I don't know. These messages are > coming from the following ip addresses: ... > Clearing the DNS cache solves the problem, but it started to creep back > in, so I've blocked all traffic from those ip addresses to see if that > stops it from happening again. Back in August of 2001 there was a bug discovered in several Microsoft DNS servers (NT/2000 IIRC) that allowed the root zones to be overwritten. IE a malicious DNS server out there could convince you to query it for all responses instead of the official root servers. All it takes is for your machine to send a DNS query to a malicious server and it to respond back with bogus glue records along with the legitimate reply. There could be many ways in which this poisoning could occur. Someone could visit a URL, an img tag could be in email, a reverse/forward lookup might be triggered by paranoid services, undeliverable spam could be bounced back to the original address requiring a quick MX lookup at the malicious domain, etc. See http://www.cert.org/incident_notes/IN-2001-11.html for some pointers to a solution. A while back I set up a domain to be able to test this problem: go-u.nu. I used .nu because it's not in nearly so much use as .com and friends, because the dns server in question does not serve any .nu names, and because I don't intend to use the domain any time soon so it shouldn't be referenced anywhere. Well, now it is I guess. If you want to test your DNS servers, try the following: $ host www.go-u.nu www.go-u.nu A 127.0.0.1 $ host www.nunames.nu www.nunames.nu A 64.55.105.17 If you see results like the above, you're ok. If you get 127.0.0.1 for all your subsequent .nu lookups (example.nu, register.nu, etc) then you have a broken Microsoft DNS server somewhere in your resolv path. If you're interested how trivial the returned packets look: $ dig www.go-u.nu .... ;; ANSWER SECTION: www.go-u.nu. 1H IN A 127.0.0.1 ;; AUTHORITY SECTION: nu. 3D IN NS dns1.hackinglinuxexposed.com nu. 3D IN NS dns2.hackinglinuxexposed.com Those nu. NS records should not be honored by the requesting machine, but the buggy MS DNS versions happily slap them in the cache. I think in order to turn this 'feature' off, you need to click some button that says "Don't allow folks to poison my cache" somewhere in the DNS config. Why that isn't the default I couldn't tell you. The CERT note will give you pointers. If you're interested in the code I used to create the 'bogus' server, it was actually standard djbdns with a simple wildcard line. Trivial, and not worth meantioning here. Naturally, I take no responsibility for anyone who looses connectivity due to poisoning their cache with the go-u.nu domain. Test it if you will, but fix your DNS servers. The person who has affected you negatively probably isn't trying to cause you harm, they are probably just sending out these responses because they configured their DNS server wrong. However it's the fault of the MS DNS servers for honoring the bogus records. -- Brian Hatch "Holograms do not lie, Danny-boy." Systems and Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 08:45:19 PST