|
Andres, from our previous conversation, it seems like
you've covered all of your bases:
1) Your Windows 2000 Server DNS.exe is already patched and
the service restarted.
2) Your DNS option is already set to "secure cache against
polution" and the service restarted.
3) Your DNS is not set to forward queries to an "upstream"
server.
If all of these are actually so, then it is surprising that
your cache is being poisoned and repeatedly so.
Are you sure that it isn't the result of a typo in your DNS
configuration? Or a problem in your testing?
I looked up your DNS servers and tested some queries.
What I found was that:
200.16.193.5 is currently not poisoned
200.16.193.4 is currently poisoned or misconfigured; any
request to *.com.ar returns 64.136.24.165 which is a webserver on which
"freeservers.com" can be reached; surfing by IP address reveals a very generic
page, and surfing with a poisoned domain (so that their webservers see the host
header for the poisoned domain) gets a different page branded by
aboutwebservices.com which is another name for
freeservers.com
freeservers.com is a cheap hosting provider and does supply
free hosting of a website with their banner ads. If this is poisoning, the
target web service is gone, so it's odd that the poisoner would keep at
it.
Have you checked to make sure that your "Forward lookup
zones" on 200.16.193.4 does not contain an entry for "*.com.ar" ? I set up a test
on my own server and it looks exactly like this is the case on your
server!
The TTL for *.com.ar is the
same as that for cotel.com.ar (1 hour) which would be logical if *.com.ar were
inheriting the settings from the parent; if I were a bad guy I'd probably set a
very high TTL in my DNS poisoning, so this also suggests misconfiguration to
me.
However, if it is a misconfiguration, then the zone is a
regular "Standard Primary" with no secondary configured, because the bad data is
not replicated to 200.16.193.5
The fatal flaw in my diagnosis is that you've said
clearing the cache makes the issue go away; is it possible that you're
mistaken?
Try this:
- Open a command prompt on 200.16.193.4
- clear the OS' DNS cache, i.e. "ipconfig
/flushdns"
- start a nslookup but don't hit enter yet, i.e. "nslookup
random3857.com.ar 200.16.193.4"
- Clear the cache from the DNS GUI
- go back to the command line and finish the query by
hitting enter
Do you get a response "Address: 64.136.24.165" (this
would indicate a misconfiguration) or "Non-existent domain" (this would
indicated that the cache was poisoned, but currently is
clear)?
If you still have problems with poisoning, I'd suggest that
you contact the Handler on Duty via the webform at http://isc.sans.org as they will very likely be
able to get you on track and perhaps find out how this is happening and how to
block it.
Andrew 8)
|
