On Mon, Sep 09, 2002 at 03:59:16PM -0500, Carey, Steve T ISD wrote: > It is a Microsoft default for a misconfigured desktop on DHCP. The DNS server > information was placed in manually and there the DNS Server is a 'bogus' host. > When the DHCP server tries to resolve the DNS Server, it will use > prisoner.iana.org instead. > > Steve Carey There's more to the story -- forgive the length of the following message... "prisoner.iana.org" is one of the rfc1918 "blackhole" servers -- you will also sometimes see entries for "blackhole-1.iana.org" and "blackhole-2.iana.org". They are there because sometimes rfc1918 addresses leak onto the open internet, and clients that get packets from these bogus addresses sometimes do inverse dns lookups on them. prisoner and its buddies are supposed to answer with authoritative "nxdomain" replies -- this, in theory, reduces load on the root servers (the first query for a nonexistent domain will go to the root servers unless there is a known(cached) lower level domain server that can answer the query). The IANA is preparing a FAQ on this topic -- one of these days it should be posted on the IANA web site. I prepared a faq specific to this question, which I have appended below. > Hi - > > I've started noticing an entry in the event log on one > of my Windows XP workstations. I've tried finding > information regarding this on google (have seen others > with the problem, but no answers) & have also > contacted iana (but have yet to hear anything from > them). The IANA gets a number of queries on this subject. > The box is trying to make DNS requests to > 'prisoner.iana.org'. This is what I see in the event > log: > > ========================= > Source: LSASRV > Category: SPNEGO (Negotiator) > > The Security System could not establish a secured > connection with the server DNS/prisoner.iana.org. No > authentication protocol was available. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > ========================= > > Ipconfig on the box looks like this: > > Windows IP Configuration [...] > IP Address. . . . . . . . . . . . : > 192.168.0.204 > Subnet Mask . . . . . . . . . . . : > 255.255.255.0 > Default Gateway . . . . . . . . . : > 192.168.0.1 > DHCP Server . . . . . . . . . . . : > 192.168.0.3 > DNS Servers . . . . . . . . . . . : > 192.168.0.3 > Lease Obtained. . . . . . . . . . : Sunday, > September 08, 2002 10:01:05 > AM > Lease Expires . . . . . . . . . . : Sunday, > September 08, 2002 1:01:05 P > M > > So far as I know, the LsaSrv process that is > generating the error is tied to the protected storage > service. This is the service that stores personal > passwords, etc on the windows machine. Why would this > need to query an outside dns server?? Because it's doing an inverse query, trying to find out what dns name goes with the address 192.168.0.204, and your dns servers are not providing an answer. > Just curious if anyone knows what this is - trojan? > spyware? simple microsoft bloat? Almost certainly, it's a misconfiguration of your network. > I've blackholed > prisoner.iana.org (via lmhosts) on the local machine & > have also blocked it on my firewall until I can figure > out what this is. Here's an old faq I wrote. Not real great, and somewhat out of date, but hopefully it will help... Q1: What are the blackhole servers? A1: The "blackhole" Servers, "blackhole-1.ian.org", "blackhole-2.iana.org", and sometimes "prisoner.iana.org" are an obscure part of the Internet infrastructure. People are sometimes puzzled or alarmed to find unexplained references to them in log files or other places. This FAQ tries to explain what these servers do, and why you may be seeing them. Specifically, these servers are part of the Domain Name System (DNS), and respond to inverse queries to addresses in the the reserved RFC 1918 address ranges: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) (see ftp://ftp.isi.edu/in-notes/rfc1918.txt) These addresses are reserved for use on private intranets, and should never appear on the public internet. The 192.168.0.0 addresses are especially common, being frequently used in small office or home networking products like routers, gateways, or firewalls. Q2: What are "inverse queries? A2: With normal ("forward") queries the domain name system responds with an address (eg, "192.0.34.69") when given a name are (eg, "www.iana.org"). Inverse ("reverse") queries do the reverse -- the domain name system returns the name ("www.iana.org") when given the address ("192.0.34.69"). While inverse queries are rare from a human perspective, some network services automatically do an inverse lookup whenever they process a request from a particular IP address, and consequently they form a significant part of DNS network traffic. Q3: Why do we need the blackhole servers? A3: Strictly speaking, we don't need the blackhole servers. However, DNS clients will sometimes remember the results from previous queries (that is, "good" answers to queries are cached), and the blackhole servers are configured to return answers that DNS clients can cache. This allows the clients to rely on their cached answers, instead of sending another query, which in turn reduces the overall amount of traffic on the Internet. Since the RFC 1918 addresses should never be used on the public Internet, there should be no names in the public DNS that refer to them. Hence, an inverse lookup on one of these addresses should never work. The IANA blackhole servers respond to these inverse queries, and always return an answer that says, authoritatively, that "this address does not exist". Because of the caching noted above, this is far better than simply not responding at all, so the IANA provides the blackhole servers as a public service. Q4: How busy are the blackhole servers? A4: While rates vary, the blackhole servers generally answer thousands of queries per second. In the past couple of years the number of queries to the blackhole servers has increased dramatically. It is believed that the large majority of those queries occur because of "leakage" from intranets that are using the RFC 1918 private addresses. This can happen if the private intranet is internally using services that automatically do reverse queries, and the local DNS resolver needs to go outside the intranet to resolve these names. For well-configured intranets, this shouldn't happen. Users of private address space should have their local DNS configured to provide responses to inverse lookups in the private address space. Q5: But it looks like the blackhole servers are attacking my network/host. Could it be that a hacker has taken over the servers, and is attacking other systems? A5: No system is totally safe from hackers, and the blackhole servers are no exception. However, because of their special function, there are a number of reasons why they may appear in your logs or elsewhere that have nothing to do with hacking. DNS configuration, especially in an environment where the RFC 1918 addresses are being used, can be tricky. Firewall configurations can make things even more complicated. If, for example, your system is configured to allow all outgoing packets, but block most incoming packets, then it may be that your DNS client is in fact doing inverse queries to the blackhole servers, but blocking (and logging) the returning answers. It is also true that other activities of hackers can make the blackhole servers show up in your logs. It is possible to construct network packets with forged source addresses that are in the RFC 1918 ranges. A hacker, for example, could construct a packet that appeared to come from 192.168.35.35. Sometimes there are large scale denial of service attacks that use a flood of such "spoofed" packets. The result might be a large number of queries coming to the blackhole servers, which may themselves be overloaded with query traffic. Under conditions of heavy load, the servers may drop packets, and not respond correctly to some queries. This may cause odd messages to appear in the error logs of either the attacking or the attacked host. (In large scale "distributed denial of service" attacks, many systems are taken over by hackers, and these systems are used to attack some victim. The owners of the attacking systems may not even be aware that they have been taken over by a hacker.) Q6: OK, maybe you aren't attacking me. What can I do about the messages in my logs? A6: The best way solve this problem is to set up DNS on your local network. Unfortunately, this can be complicated, and may not in practice be possible. If you are using operating systems from Microsoft, you might want to look at <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259922>. (Please note that the blackhole servers used to be located at isi.edu). Q7: Is there anything more than just logs at issue? A7: Possibly. But you should make every effort to fix the problem from your end, because episodes of overload to the blackhole servers are becoming more common, and that can have more serious consequences. See, for example, <http://www.shmoo.com/mail/fw1/apr99/msg00946.html>. [Thanks to Ed Bennet for input on the above two questions.] -- Kent Crispin, Technical Systems Manager, ICANN ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 08:53:36 PDT