Security Incidents mailing list archives
RE: strange DNS behavior over the last 2 days
From: "Levinson, Karl" <LevinsonK () STARS-SMI com>
Date: Fri, 28 Mar 2003 16:00:29 -0500
Two thoughts: when I see different results from NSLOOKUP and PING, I think about checking other sources of name resolution, such as WINS or NetBIOS name broadcast requests [and looking at the local machine name cache using NBTSTAT -c and IPCONFIG /FLUSHDNS on Windows 2000 to display, NBTSTAT -R and IPCONFIG /FLUSHDNS to flush the local caches]. If the problem is due to NetBIOS names, you might consider confirming your firewall blocks NetBIOS both to and from the internet. Also, you might read the article at www.cert.org concerning DNS cache poisoning [Microsoft naturally had to rename it to "pollution"] and see if that might apply to your situation. If this was the case, flushing the name caches on both the local host and the server [for example by restarting the DNS service] would probably make the problem go away immediately [though temporarily]. Whether or notn this is the problem here, IMHO you really should consider enabling the setting to prevent cache poisoning on probably any Microsoft DNS server as described here: http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 -----Original Message----- From: steve baker [mailto:stephenbbaker () hotmail com] Sent: Thursday, March 27, 2003 1:07 PM To: incidents () securityfocus com Subject: strange DNS behavior over the last 2 days For some odd reason, periodically our clients will visit a site, only to have a blank page appear as if the site loaded. Nslookup resolves the correct IP address, but ping returns 64.251.66.2 for every address that has this problem. There are NO hosts files on these machines and regardless of which DNS server we point them to, the same problem occurs. The problem occurs intermittently as well, which makes it even harder to pin down. Some sites previously affected will be accessible and new sites not affected suddenly have the same problem - but they eventually clear up in just about 10 minutes. Very strange. Has anyone heard or seen this before on a network running windows nt 4 DNS server with nt/2000 clients? ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
Current thread:
- strange DNS behavior over the last 2 days steve baker (Mar 27)
- Re: strange DNS behavior over the last 2 days Chris Wilkes (Mar 27)
- Re: strange DNS behavior over the last 2 days Jacco Tunnissen (Mar 29)
- RE: strange DNS behavior over the last 2 days John S. Pitts (Mar 31)
- Re: strange DNS behavior over the last 2 days Jacco Tunnissen (Mar 29)
- <Possible follow-ups>
- Re: strange DNS behavior over the last 2 days jinyean tan (Mar 27)
- RE: strange DNS behavior over the last 2 days Levinson, Karl (Mar 29)
- Re: strange DNS behavior over the last 2 days Jacob (Mar 29)
- Re: strange DNS behavior over the last 2 days Chris Wilkes (Mar 27)