+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Windows Thread, Is this DNS poisoning? in Technical; Ok I miss-typed that "mapings" comment but basically if I do this: > nslookup 128.2.2.142 Then I get all sorts ...
  1. #16

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Is this DNS poisoning?

    Ok I miss-typed that "mapings" comment but basically if I do this:

    > nslookup 128.2.2.142

    Then I get all sorts of stuff in my cache which is *perfectly normal*:

    --forward zone edu.net
    NS ac-ddns2.net.cmu.edu.
    NS ddns-a100.net.cmu.edu.
    NS ac-ddns1.net.cmu.edu.
    A AC-DDNS1 128.2.1.15
    A AC-DDNS2 128.2.1.16
    A DDNS-A100 128.2.1.16
    A t-ns1 128.2.4.14
    A t-ns2-sec 128.237.148.6
    --reverse zone 128.2.2
    NS ac-ddns2.net.cmu.edu.
    NS ddns-a100.net.cmu.edu.
    NS ac-ddns1.net.cmu.edu.
    PTR 142 gruel-2-142.ppp.andrew.cmu.edu.

    The only question is why would something on my network be wanting to look up that IP address.. or alternatively why would it want to look up gruel-2-142.ppp.andrew.cmu.edu?

    Apart from a few more gruels, does your cache have anything significantly different or not? In particular do any of the IP addresses in the cache belong to your network?

    Meanwhile 2.142 should not be the network part of your address (i.e. the first two octets) because whois says 2.0.0.0/8 is reserved. So I think you're saying it's the last two octets that match e.g. x.x.2.142 and that doesn't prove anything.

    I also don't get is what you mean with "scans" and "clients were reporting their DNS names". It's typically the scanner itself that looks up DNS names to fit IP addresses, so what were you running and where from? Could it be buggy?

    Is there any reason some 128.2.x.x addresses might be floating about on your network. Have you seen any say with Ethereal? Could a small typo on some machine/device result in that?

    Rootkit Revealer is good.. I'd have run that on all the DCs.. probably followed by Autoruns (with don't display signed MS stuff turned on to reduce the clutter)... and then some AV scanner.. provided everything looked fine I'd then change all the admin passwords. Then I'd scour the event logs for anything unusual concerning DNS & DHCP.

    Then I'd find a hub, connect it between your network and router, then connect a laptop with Ethereal on it to see if anything on my network is trying to talk to 128.2.x.x addresses (obviously then checking any workstation that are).

    NMap isn't so useful in this scenario unless you scan the full 65K+ ports on each machine.

  2. #17

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    OK – we’ve got something similar but with the addition of a number of gruel entries.
    The reason I mentioned DDNS was because ALL records in the cache are ordinary A or NS entries with the exception of those pertaining to CMU. Nevertheless, if it’s normal to have ddns in a cache then all well and good.

    However, in our cache there are reverse lookups and the only PTR records in the cache are the Gruel ones which can number a good 80 or so.
    I can’t see this as being normal.
    If I do nbtstat – a, for example 128.2.2.9 I get the correct netbios name ‘FTT10’.
    If I ping the same machine with the a switch I get
    GRUEL-2-9.PPP.andrew.cmu.edu.
    This is despite their being a legitimate A record for the machine in the forward lookup.
    Nslookup 128.2.2.9 returns GRUEL-2-9.PPP.andrew.cmu.edu.

    I am wondering what is the significance of all gruel entries being ptr records?

    Our network runs on 128.2.1.0 (16) and the corresponding gruel address will always have the host part of our network (I origionaly posted ‘network’ - sorry about that) e.g.
    128.2.2.9 will become
    gruel – 2-9 ………..

    It was ethereal which first alerted us to this problem and all our monitoring stuff says the same (we use network supervisor from 3com and we’ve just acquired observer after running a load of trials).
    I’ve changed all passwords as you’ve suggested and I continually monitor event logs.
    I’m going to have a deeper look at anti-rootkit tools. Your suggestion running ethereal inbetween the network and the gateway sounds like a good idea.

  3. #18

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Is this DNS poisoning?

    Our network runs on 128.2.1.0 (16)
    ?!? Uh ?!?

    All IP addresses beginning with 128.2 belong to Carnegie Mellon University aka CMU. Those strange DNS cache entries of yours are a direct result of using someone else's addresses.

    You need to find out how that happened and fix it ASAP i.e. change the IP numbering of your network to a range you "own".

  4. #19

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    mmmmmm
    Our range is private

  5. #20

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    As PiqueABoo said, CMU own the 128.2 range. a quick whois on all-nettools brings back:

    128.2.0.0 - 128.2.255.255
    Carnegie Mellon University
    Computing Services
    5000 Forbes Avenue
    Pittsburgh, PA
    US

    You need to use one of the private reserved ranges (or a subset) as outlined in RFC1918

  6. #21

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    Yeah
    I know it's not strictly correct because it should be in the private range but we are behind that many layers of NAT. The internet is provided by the York council/Kingston/Affinity and they set this network up here long time before I got here.
    Other schools in this area also use 128.0.0.0.
    As far as the internet is concerned our machines are seen to have one single class C address which is one of Kingstons machines.
    .... so, could this point to a configuration issue within our providers systems?

  7. #22

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Is this DNS poisoning?

    Yes, they suck and don't understand TCP/IP networking.

  8. #23

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594

    Re: Is this DNS poisoning?

    They really need to look at the RFCs to get an idea of what ranges they should be using.

    Ok ... subnet masks can change to expand your "class 'c'" ranges to give you more than your usually 254 usable addresses, but the use of a public range on a private network, even behind something doing NAT is a no-no.

    If you are really unhappy with the amount of work you have had to put in because of this you can complain to IANA (or RIPE), who do take a dim view of poor practice like this.

    I would also have a whinge at Kingston/Affinity/York and explain your problems. If it is a range that they have put in there is no guarantee that they have been pubbering around with things either.

    I shudder to remember that when EMBC came to set up our connection they did not have a working range for us, they decided to use a temporary range only to find that it was already in use by someone else and they buggered up their connection too.

  9. #24

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,511
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302

    Re: Is this DNS poisoning?

    mmm, sounds like my past place - they used 131.1.71.* for the range, and I am sure thats not a private range.... My lans all use the 192.168.1/2/3 range or 172.28.96.* ranges

  10. #25

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    Ok - its all coming out now. The head of ICT now remembers that the council had set us up with 192.168. blah.
    Apparently the school ran out of IP addresses so a guy came in from another school and set the school up with a class B - only instead of 172 he assigned 128 telling all who cared to listen that we were natted so it would be OK.
    And it was OK for two years.
    I tried to log on to one of our Access Points yesterday and was presented with the portal for the Carnegie Mellon VPN. - highly amusing

    So it looks like we'll be able to nail this one now.
    I can't believe everyone has missed the absolutely blindingly obvious. I think its something like - how can anyone make such an elementary, basic error? Sometimes I suppose it just needs an outsider to point these things out.
    Thanks

  11. #26

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Is this DNS poisoning?

    When/if you sort out your network numbering, create a "Reverse lookup zone" for the network addresses in DNS.

  12. #27

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Is this DNS poisoning?

    Hi guys
    OK - we managed to get a 'real' IP scheme given to us by Kingston.
    10.100.0.0
    I did the change over yesterday and did as you suggested and created a reverse lookup. All is well with the exception of IIS which appears to have lost its virtual directories and will not not work. Unfortunately this server seems to have corrupt event logs - not the most useful thing when trying to diagnose problems. I guess I'll have to try the Microsoft fixes to try and get the events back up. I was wondering if anyone had heard of problems with IIS after IP changes. I did find one obscure post somewhere but that was NT4.
    I wonder if I should contact the admin at CMU, after all, we did seem to be a part of the university campus at one point LOL ;-)

  13. #28

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,511
    Thank Post
    1,493
    Thanked 1,050 Times in 919 Posts
    Rep Power
    302

    Re: Is this DNS poisoning?

    Sorry to hijack, but whos a good DNS expert whos brain I can pick in a few days time, I am setting a new server up and I always seem to make a mess of DNS, or it works well but seems to after a few weeks get the hickley pups. I just want to run past them the way I am doing it and if its right or not

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •