compromise/poisoning??

Danny Mayer mayer at gis.net
Sat Feb 2 22:37:07 UTC 2002 

Look for a forward first and a forwarders statement with the the IP address
of his server in it in your named.conf file.

         Danny
At 11:43 PM 2/1/02, Brian Collins wrote:

>I have bind 8.2.3 running on a RedHat 6.1 box.  While I know I should
>upgrade the version soon, I have 'management restrictions' on doing so for
>the next month or so.  Until then, I'm hoping I can find some help for a
>problem that showed up this week.
>
>I got a complaint from the admin of a DNS far away from here, who said he
>was getting flooded with incoming requests from my name server,  Sure
>enough, tcpdump showed dns requests from my dns to his machine almost
>constantly.
>
> From what I've been able to gather through a day of fellowship with
>tcpdump, any time my dns cannot answer a request, it asks this guy's
>machine.  This sounds to me like some sort of poisoning, though my
>understanding is that this isn't exactly what cache poisoning does (I'm
>open to correction, however).  Also, I downloaded and installed dnstracer,
>expecting that it might tell me that my machine was querying this guy's
>box, but it showed that, when he was unable to answer a request, it started
>asking the root servers.
>
>Here is a typical failed request from one of my clients....
>21:19:28.482248 eth0 < some-pc.1112 > my-dns.53: 11+ A? ww.typed-wrong.com.
>(39)
>21:19:33.208979 eth0 > my-dns.53 > some-pc.1112: 11 NXDomain* 0/1/1 (107)
>
>This prompted the following from my dns....
>21:19:33.000061 eth0 > my-dns.1032 > some-other-guy's-dns.53: 63862 A?
>ww.typed-wrong.com. (39)
>
>I've been seeing this go on all day.  It (apparently) gets triggered by any
>failed client request (several hundred customers on a cable-modem net
>reference this dns).  I get the same basic result when Windows machines try
>to use my dns for WINS resolution, trying to resolve stuff like "VALUED OEM
>CUSTOMER".
>
>Obviously, I've obscured real names/IPs above.  I hope I've not muddied the
>waters in doing so.  If I'm just being dumb, tell me.  But I suspect
>something has (maliciously or not) told my dns to go ask this fellow for
>stuff it can't do itself.
>
>Any ideas??
>
>Thanks for your time and help,
>Brian Collins
>Systems Admin
>Newnan Utilities

More information about the bind-users mailing list