Hijacked DNS - How is this being done?

04/10/2006, 21h33

Well this has got me I have no idea how its being done;

Windows 2000 server Domain controller, run nslookup this is what
happens;

> sdsdfsdf
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: sdsdfsdf.****.co.uk
Address: 82.110.105.11

> wewerewer
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: wewerewer.****.co.uk
Address: 82.110.105.11

> 233sdsdsdfsdf334
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
Name: 233sdsdsdfsdf334.****.co.uk
Address: 82.110.105.11

Any host name typed in is resolved to 82.110.105.11?

Also running nslookup and set type=mx this happens;

> microsoft.com
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
microsoft.com.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32

> google.co.uk
Server: w2k-dom.dom.****.co.uk
Address: 192.168.0.2

Non-authoritative answer:
google.co.uk.****.co.uk MX preference = 10, mail exchanger =
mail1.extendcp.co.uk
mail1.extendcp.co.uk internet address = 82.110.105.32

All resolving to 82.110.105.32 ???

I've run virus and spyware checks and also looked at the DNS server
entries as well as the host file all ok, please I'm stuck!

05/10/2006, 03h21

What does ipconfig /all say that the DNS server is?

05/10/2006, 06h13

Roger P. wrote:
> Well this has got me I have no idea how its being done;
>
> Windows 2000 server Domain controller, run nslookup this is what
> happens;
>
>> sdsdfsdf
> Server: w2k-dom.dom.****.co.uk
> Address: 192.168.0.2
>
> Non-authoritative answer:
> Name: sdsdfsdf.****.co.uk
> Address: 82.110.105.11
>
>> wewerewer
> Server: w2k-dom.dom.****.co.uk
> Address: 192.168.0.2
>
> Non-authoritative answer:
> Name: wewerewer.****.co.uk
> Address: 82.110.105.11
>
>> 233sdsdsdfsdf334
> Server: w2k-dom.dom.****.co.uk
> Address: 192.168.0.2
>
> Non-authoritative answer:
> Name: 233sdsdsdfsdf334.****.co.uk
> Address: 82.110.105.11
>
> Any host name typed in is resolved to 82.110.105.11?
>
> Also running nslookup and set type=mx this happens;
>
>> microsoft.com
> Server: w2k-dom.dom.****.co.uk
> Address: 192.168.0.2
>
> Non-authoritative answer:
> microsoft.com.****.co.uk MX preference = 10, mail exchanger =
> mail1.extendcp.co.uk
> mail1.extendcp.co.uk internet address = 82.110.105.32
>
>> google.co.uk
> Server: w2k-dom.dom.****.co.uk
> Address: 192.168.0.2
>
> Non-authoritative answer:
> google.co.uk.****.co.uk MX preference = 10, mail exchanger =
> mail1.extendcp.co.uk
> mail1.extendcp.co.uk internet address = 82.110.105.32
>
> All resolving to 82.110.105.32 ???
>
> I've run virus and spyware checks and also looked at the DNS server
> entries as well as the host file all ok, please I'm stuck!

In all likelihood this is neither a virus or a highjack, it is likely to be
a wild card record in the public zone, and is is very common in the co.uk
domain.

If you will check your DNS suffix search list you will see that ****.co.uk
is in the list and your internal domain is dom.****.co.uk, what you need to
do is set a custom DNS suffix search list that has only your internal domain
in the list, "dom.****.co.uk" this is caused by the DNS client service and
nslookup appending these suffixes until it gets a hit, it hits the public
wildcard and resolves.

You can assign the DNS suffix search list in a group policy on XP and
Win2k3, but you'll have to manually configure the list on Win2k.

Computer Configuration
-Administrative templates
-Network
-DNS client <DNS suffix search list>

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

04/10/2006, 21h33	#1
Roger P. Messages: n/a Hébergeur:	Hijacked DNS - How is this being done? Well this has got me I have no idea how its being done; Windows 2000 server Domain controller, run nslookup this is what happens; > sdsdfsdf Server: w2k-dom.dom.**.co.uk Address: 192.168.0.2 Non-authoritative answer: Name: sdsdfsdf..co.uk Address: 82.110.105.11 > wewerewer Server: w2k-dom.dom..co.uk Address: 192.168.0.2 Non-authoritative answer: Name: wewerewer..co.uk Address: 82.110.105.11 > 233sdsdsdfsdf334 Server: w2k-dom.dom..co.uk Address: 192.168.0.2 Non-authoritative answer: Name: 233sdsdsdfsdf334..co.uk Address: 82.110.105.11 Any host name typed in is resolved to 82.110.105.11? Also running nslookup and set type=mx this happens; > microsoft.com Server: w2k-dom.dom..co.uk Address: 192.168.0.2 Non-authoritative answer: microsoft.com..co.uk MX preference = 10, mail exchanger = mail1.extendcp.co.uk mail1.extendcp.co.uk internet address = 82.110.105.32 > google.co.uk Server: w2k-dom.dom..co.uk Address: 192.168.0.2 Non-authoritative answer: google.co.uk.**.co.uk MX preference = 10, mail exchanger = mail1.extendcp.co.uk mail1.extendcp.co.uk internet address = 82.110.105.32 All resolving to 82.110.105.32 ??? I've run virus and spyware checks and also looked at the DNS server entries as well as the host file all ok, please I'm stuck!

05/10/2006, 03h21	#2
just biz Messages: n/a Hébergeur:	Re: Hijacked DNS - How is this being done? What does ipconfig /all say that the DNS server is?

05/10/2006, 06h13	#3
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Hijacked DNS - How is this being done? Roger P. wrote: > Well this has got me I have no idea how its being done; > > Windows 2000 server Domain controller, run nslookup this is what > happens; > >> sdsdfsdf > Server: w2k-dom.dom.**.co.uk > Address: 192.168.0.2 > > Non-authoritative answer: > Name: sdsdfsdf..co.uk > Address: 82.110.105.11 > >> wewerewer > Server: w2k-dom.dom..co.uk > Address: 192.168.0.2 > > Non-authoritative answer: > Name: wewerewer..co.uk > Address: 82.110.105.11 > >> 233sdsdsdfsdf334 > Server: w2k-dom.dom..co.uk > Address: 192.168.0.2 > > Non-authoritative answer: > Name: 233sdsdsdfsdf334..co.uk > Address: 82.110.105.11 > > Any host name typed in is resolved to 82.110.105.11? > > Also running nslookup and set type=mx this happens; > >> microsoft.com > Server: w2k-dom.dom..co.uk > Address: 192.168.0.2 > > Non-authoritative answer: > microsoft.com..co.uk MX preference = 10, mail exchanger = > mail1.extendcp.co.uk > mail1.extendcp.co.uk internet address = 82.110.105.32 > >> google.co.uk > Server: w2k-dom.dom..co.uk > Address: 192.168.0.2 > > Non-authoritative answer: > google.co.uk..co.uk MX preference = 10, mail exchanger = > mail1.extendcp.co.uk > mail1.extendcp.co.uk internet address = 82.110.105.32 > > All resolving to 82.110.105.32 ??? > > I've run virus and spyware checks and also looked at the DNS server > entries as well as the host file all ok, please I'm stuck! In all likelihood this is neither a virus or a highjack, it is likely to be a wild card record in the public zone, and is is very common in the co.uk domain. If you will check your DNS suffix search list you will see that .co.uk is in the list and your internal domain is dom..co.uk, what you need to do is set a custom DNS suffix search list that has only your internal domain in the list, "dom.**.co.uk" this is caused by the DNS client service and nslookup appending these suffixes until it gets a hit, it hits the public wildcard and resolves. You can assign the DNS suffix search list in a group policy on XP and Win2k3, but you'll have to manually configure the list on Win2k. Computer Configuration -Administrative templates -Network -DNS client <DNS suffix search list> -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email