LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page DNS Royally Messed Up - HELP!
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-14-2005, 10:13 PM   #1
gabriele_101
Member
 
Registered: Oct 2001
Location: CAMBRIDGE, MA USA
Distribution: RH9 Kernel 2.4.20-18.9
Posts: 69

Rep: Reputation: 15
DNS Royally Messed Up - HELP!

Some of my domains had incorrect DNS information propagated across the Internet, and I don't understand how it happened.

Example whois record:

Code:
Registrant:
   Fariel Enterprises
[ ... cut irrelevant data ... ]
   Domain servers in listed order:
      NS12.ZONEEDIT.COM
      NS15.ZONEEDIT.COM
Note that the DNS servers are CORRECT. An example "dig" command, run on servers in 4 different parts of the country using 4 different primary and secondary DNS servers I get something like this:
Code:
; <<>> DiG 9.2.4 <<>> torzecka.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53793
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;torzecka.com.                  IN      A

;; ANSWER SECTION:
torzecka.com.           42893   IN      A       66.92.65.67

;; AUTHORITY SECTION:
torzecka.com.           42893   IN      NS      ns1.granitecanyon.com.
torzecka.com.           42893   IN      NS      ns2.granitecanyon.com.

;; ADDITIONAL SECTION:
ns1.granitecanyon.com.  172205  IN      A       205.166.226.38
ns2.granitecanyon.com.  172205  IN      A       69.67.108.10

;; Query time: 1 msec
;; SERVER: 67.138.240.4#53(67.138.240.4)
;; WHEN: Thu Apr 14 20:48:51 2005
;; MSG SIZE  rcvd: 128
The incorrect data is bolded. This was going on for a period of about 5-6 hours for at least one of the domains (the example) before things went back to normal. It is still going on of some of the others (e.g., newportroad.com ). The IP address and DNS server information is information that has not been used since about mid-2003. The various tech support people are clueless as to how this happened, but I would like to know.

Anyone have any ideas?

-Gabriele
 
Old 04-14-2005, 11:23 PM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
There have been DNS poisoning attacks world-wide for the past few days. You can look up the issue on cert or other ipsec related sites. You are not the only one affected by this.
 
Old 04-15-2005, 12:33 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
It appears the old dns info still exists at granitecanyon.com..

The chances are pretty good that someone on a network connected to your dns server looked up those records and the cache was poisoned for a while..

Get the old ones updated or deleted..
 
Old 04-15-2005, 06:34 AM   #4
crmanski
LQ Newbie
 
Registered: Feb 2005
Distribution: ubuntu
Posts: 2

Rep: Reputation: 0
It looks like your nameservers might be vulnerable. If you go to dnsreport.com and enter in the domain you mentioned you get ....

Your nameservers have the following versions:

64.246.26.64: "8.X"
69.10.134.195: "8.X"

The CERT advisory recommends DNS servers be upgraded to the latest version of Bind which when I last checked was 9.X

http://www.isc.org/index.pl?/sw/bind/
"BIND4/BIND8
Unsuitable for Forwarder Use
If a nameserver -- any nameserver, whether BIND or otherwise -- is configured to use ``forwarders'', then none of the the target forwarders can be running BIND4 or BIND8. Upgrade all nameservers used as ``forwarders'' to BIND9 . There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as ``forwarders'' targets."
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Do I leave primary and seconday DNS blank for a DNS Server? imsam Linux - Networking 3 10-25-2004 01:48 PM
need help to set up caching only dns server to with bogus DNS entries ullas Linux - Networking 1 10-28-2003 01:54 PM
I think I've royally messed things up phatcher Linux - General 1 09-28-2003 02:51 PM
I screwed up royally with Gnome help Craneology Linux - Software 1 03-27-2003 07:55 PM
KDE royally stuffed by RH up2date..! Smerk Linux - Software 1 03-06-2003 02:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:26 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration