Security Incidents: Re: strange DNS behavior over the last 2 days

[Chris Wilkes <cwilkes () ladro com>]

On Thu, Mar 27, 2003 at 01:06:31PM -0500, steve baker wrote:
> For some odd reason, periodically our clients will visit a site, only to 
> have a blank page appear as if the site loaded.
What sites?

> Nslookup resolves the correct IP address, but ping returns 64.251.66.2 for 
> every address that has this problem.  There are NO hosts files on these 
> machines and regardless of which DNS server we point them to, the same 
> problem occurs.
What DNS servers are you asking?  Your own?  If so, I would take a look
at the logs to see:
-what query came in
-what server your DNS server asked for the correct response
-what query your DNS server sent to that server

> The problem occurs intermittently as well, which makes it even harder to 
> pin down.  Some sites previously affected will be accessible and new sites 
> not affected suddenly have the same problem - but they eventually clear up 
> in just about 10 minutes.
>
> Very strange.  Has anyone heard or seen this before on a network running 
> windows nt 4 DNS server with nt/2000 clients?
Does NT4's DNS server have any sort of logging on there?  You might want
to look at that.

What DNS servers do you have listed for your clients?  You can do a
"ipconfig /all" to find out what ones are in there.

You can also install http://www.ethereal.org on your Windows box and
find out what queries it is sending out.  You might think your asking
for the DNS entry for "example.com" but really you're asking for
"example.com.mylocaldomain.com"  I have a feeling that could be your
problem.

Chris

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfihl1