[19] in Best-of-Security
BoS: Wierd behavior of MS's NT4 DNS
daemon@ATHENA.MIT.EDU (Jason T. Luttgens)
Fri Feb 7 03:36:06 1997
Date: Fri, 7 Feb 1997 09:04:17 +-900
Reply-To: "Jason T. Luttgens" <luttgenj@KIC.OR.JP>
From: "Jason T. Luttgens" <luttgenj@KIC.OR.JP>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
We recently converted our primary DNS server
from a Unix host running BIND to NT4 running
MS's DNS. One of the many problems we are
experiencing is that our web server is no longer
denying all the hosts that it should from getting into
restricted areas. We noticed that in the in-addr cache
it was creating entries that had hostanmes that were
non-existant in our domain. At first we could not figure
out where these names were coming from. After doing
extensive testing from a host that was outside of the
allowed domain, we found that somehow the MS DNS
server is communicating with the remote host, and if it
has an MS network name (i.e Win95 or WFWG machine),
it uses that name and tags our domain onto it!!!!...and
grants them acces to the restricted portion of our web
server! I do not have books on the MS DNS server, so
there may be a setting that I can switch to stop this...if
anyone knows it, please e-mail me. Here is a copy of a
snoop to the remote host on Solaris 2.5.....
Using device /dev/le (promiscuous mode)
dns -> remote.host UDP D=137 S=137 LEN=58
dns -> remote.host UDP D=137 S=137 LEN=58
remote.host -> dns RPC R XID=2968159232
remote.host -> dns RPC R XID=3776218112
dns -> remote.host UDP D=137 S=137 LEN=58
dns -> remote.host UDP D=137 S=137 LEN=58
remote.host -> dns RPC R XID=2970256384
remote.host -> dns RPC R XID=2970518528
dns -> remote.host UDP D=137 S=137 LEN=58
dns -> remote.host UDP D=137 S=137 LEN=58
dns -> remote.host UDP D=137 S=137 LEN=58
remote.host -> dns RPC R XID=2972484608
Anyone know what this is ???
(I lost the NT BUGTRAQ Address)
