Re: Strange DNS stuff

[Brian Hatch <incidents () ifokr org>]

> Hi I was wondering if anyone can help me out with an odd dns problem I'm
> having.  For some reason our DNS appears to be getting corrupted and
> random sites resolve to the following ip address: 212.69.172.16 which is
> a webpage that says just the following text:

...

> Our DNS servers are running win2k DNS.  Upon looking at the event viewer
> I'm getting a lot of messages saying "event id: 5504, The DNS server
> encountered an invalid domain name in a packet from x.x.x.x. The packet
> is rejected."  It seems as though I'm being attacked and someone may be
> messing with my DNS cache.  How, I don't know.  These messages are
> coming from the following ip addresses:

...

> Clearing the DNS cache solves the problem, but it started to creep back
> in, so I've blocked all traffic from those ip addresses to see if that
> stops it from happening again.

Back in August of 2001 there was a bug discovered in several
Microsoft DNS servers (NT/2000 IIRC) that allowed the root
zones to be overwritten.  IE a malicious DNS server
out there could convince you to query it for all responses
instead of the official root servers.  All it takes is for
your machine to send a DNS query to a malicious server and
it to respond back with bogus glue records along with the
legitimate reply.

There could be many ways in which this poisoning could occur.
Someone could visit a URL, an img tag could be in email,
a reverse/forward lookup might be triggered by paranoid
services, undeliverable spam could be bounced back to the
original address requiring a quick MX lookup at the malicious
domain, etc.

See http://www.cert.org/incident_notes/IN-2001-11.html for
some pointers to a solution.



A while back I set up a domain to be able to test this
problem: go-u.nu.  I used .nu because it's not in
nearly so much use as .com and friends, because the
dns server in question does not serve any .nu names,
and because I don't intend to use the domain any time
soon so it shouldn't be referenced anywhere.  Well,
now it is I guess.

If you want to test your DNS servers, try the following:

        $ host www.go-u.nu
        www.go-u.nu             A       127.0.0.1
        $ host www.nunames.nu
        www.nunames.nu          A       64.55.105.17

If you see results like the above, you're ok.  If
you get 127.0.0.1 for all your subsequent .nu lookups
(example.nu, register.nu, etc) then you have a broken
Microsoft DNS server somewhere in your resolv path.

If you're interested how trivial the returned packets
look:


        $ dig www.go-u.nu

        ....

        ;; ANSWER SECTION:
        www.go-u.nu.            1H IN A    127.0.0.1

        ;; AUTHORITY SECTION:
        nu.                     3D IN NS   dns1.hackinglinuxexposed.com
        nu.                     3D IN NS   dns2.hackinglinuxexposed.com

Those nu. NS records should not be honored by the requesting
machine, but the buggy MS DNS versions happily slap them in the
cache.  I think in order to turn this 'feature' off, you need to
click some button that says "Don't allow folks to poison
my cache" somewhere in the DNS config.  Why that isn't the
default I couldn't tell you.  The CERT note will give you
pointers.

If you're interested in the code I used to create the
'bogus' server, it was actually standard djbdns with
a simple wildcard line.  Trivial, and not worth
meantioning here.

Naturally, I take no responsibility for anyone who looses
connectivity due to poisoning their cache with the go-u.nu
domain.  Test it if you will, but fix your DNS servers.


The person who has affected you negatively probably isn't
trying to cause you harm, they are probably just sending
out these responses because they configured their DNS
server wrong.  However it's the fault of the MS DNS servers
for honoring the bogus records.


--
Brian Hatch                  "Holograms do not lie, Danny-boy."
   Systems and
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: _bin
Description: