DNS Poisoning attack!

[benlinkknilneb]

Hey all, I'm usually more of a programmer but I've been thrust into the role of network admin and I'm in need of a little help.

I am suffering from a DNS Poisoning attack. I have run all the anti-spyware tools I could find on both workstations and servers, and nothing turned up. I keep getting redirected to a search-engine looking page entitled directNIC, each time at a different addresses.

I have cleared my DNS Server's cache, but the problem arises again in a few days, sometimes even more quickly than that. It even affects pop/smtp traffic, and I've had a couple of emails get forwarded to directnic.com instead of their intended destination, and then they are returned with delivery failure because the address doesn't exist there.

What can I do to make this go away?

Ben
The ships hung in the sky in much the same way that bricks don't. - Douglas Adams

 

[porkchopexpress]

What OS are you using for your DNS server?

Who's DNS servers do you use to forward requests too?

 

[ShackDaddy]

If you want this problem to go away in the simplest fashion, make your DNS server forward all DNS queries to your ISP's DNS servers and set the timeout to something like 10 seconds. That will you less vulnerable, unless someone has hacked those DNS servers and they are the problem.

Is this server serving the public, or are public records hosted externally?

Are you using a Windows DNS server? If so, there's an option on the Advanced tab in the server properties that's labeled "Secure Cache Against Pollution". It's checked by default on Windows 2003.

 

[GlenJohnson]

Have you tried something like Ad-Aware, or Spy-Bot? It sounds more like a problem with ads and spyware. Check out

http://www.directnic.com/

Glen A. Johnson
If you like fun and sun, check out Tek-Tips Florida Forum
"Education is the best provision for old age."
Aristotles (384 BC-322 BC); Greek philosopher.

 

[benlinkknilneb]

This is a Windows 2003 Server. It is also a local domain controller. It's totally internal to our company; its DNS parent is the corporate DNS server, and its master Domain Controller is the DC at corporate.

The checkbox that ShackDaddy spoke of is indeed selected; however, I noticed that it was listening on all IP addresses (Interface tab) rather than just its own. Could that have been the source of the problem? I changed it to only listen on its own IP address to see if that would help.

As for GlenJohnson's post, been there, done that. I've got MS Antispyware running daily on the machine, and I've had ad-aware and spybot take a look at the box to see if they'd see something. All results came up clean.

Ben
The ships hung in the sky in much the same way that bricks don't. - Douglas Adams

 

[technome]

Under the forwarders tab, to limit queries to the forwarder entries, you need to check off "Do not use recursion"

Try Ewido, free temp eval...
Have Spybots add it's entries to your hosts file.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[karmic]

What antivirus are you running on the dns server? grab a copy of AVG free and drop it on for a while. I normally run AVG alongside whatever my clients own and it does not interfere. Keep in mind that if you have a virus on your systems, it'll effectively render your current AV useless.

Try downloading the demo of xoftspy (

http://www.xoftspy.com/)

and run it on one of your client computers (as well as the server) to see if it returns any crap that ad-aware won't pick up anymore. I use it all the time and I own it, it's much better than the freebees out there.

Ever use hijackthis? You can grab a copy from download.com and post a log here. It basically shows everything that's loading on your computers. Safe for servers and workstations.

Good luck.


~ K.I.S.S - Don't make it any more complex than it has to be ~