Microsoft Discovered Domain Name System CVE-2009-0233 & CVE-2009-0234

Recently, Microsoft Corp. discovered two new Domain Name System cache poisoning threats, CVE-2009-0233 and CVE-2009-0234.

According to Check Point, IPS products are updated by Check Point’s update services, providing continuous and real time protection against DNS attacks for companies. The solutions are available on dedicated platforms or integrated into Check Point gateways.

With the help of a suite of DNS cache poisoning protections, Check Point IPS solutions preemptively protect against the two new threats. These preemptive protections have the ability to detect specific attempts to exploit the newly announced vulnerabilities.

“At the heart of the Internet are DNS servers. We trust DNS servers to direct our entered URLs to the intended Websites, so any vulnerability affecting the integrity of DNS servers is of great concern,” said Oded Gonda, vice president of network security products at Check Point. “In less than a year there have been three major DNS exploits and more are likely to follow.”

The vulnerabilities in the Microsoft DNS servers attack the way it handles caching of queries and responses. An attacker tricks a DNS server into making unnecessary lookups, by flooding a DNS server, or large servers that convert domain names into numeric IP addresses with specially crafted queries. With these unnecessary lookups, an attacker will have more chances of inserting incorrect responses into the DNS server’s cache.

Source: sip-trunking.tmcnet.com

Procedure to Start/Stop An Iterative DNS Server

The following procedure explains how to Start/Stop An Iterative DNS Server. Procedure - Start/Stop An Iterative DNS Server

1. Click on the System Services menu if it is not already expanded.
2. Click on the DNS Server submenu if it is not already expanded.
3. Click on the Overview item.
4. You should now be looking at the DNS Management controls in the main content area.
5. Locate the Active DNS Services (Iterative) section.
6. Click the checkbox next to the IP you want to update.
7. Select Start or Stop from the dropdown menu below the IP list depending on what you want to do.
8. The page will reload and You will see the following message at the top of the screen: » Settings updated successfully.

Procedure - Flush An Iterative DNS Server

1. Click on the System Services menu if it is not already expanded.
2. Click on the DNS Server submenu if it is not already expanded.
3. Click on the Overview item.
4. You should now be looking at the DNS Management controls in the main content area.
5. Locate the Active DNS Services (Iterative) section.
6. Click the checkbox next to the IP you want to update.
7. Select Flush from the dropdown menu below the IP list.
8. The page will reload and You will see the following message at the top of the screen: » Settings updated successfully.

Procedure - Remove An Iterative DNS Server From an IP Address

1. Click on the System Services menu if it is not already expanded.
2. Click on the DNS Server submenu if it is not already expanded.
3. Click on the Overview item.
4. You should now be looking at the DNS Management controls in the main content area.
5. Locate the Active DNS Services (Iterative) section.
6. Click the checkbox next to the IP you want to update.
7. Select Remove from the dropdown menu below the IP list.
8. The page will reload and You will see the following message at the top of the screen: » Settings updated successfully.

Procedure - Restart An Iterative DNS Server From an IP Address

1. Click on the System Services menu if it is not already expanded.
2. Click on the DNS Server submenu if it is not already expanded.
3. Click on the Overview item.
4. You should now be looking at the DNS Management controls in the main content area.
5. Locate the Active DNS Services (Iterative) section.
6. Click the checkbox next to the IP you want to update.
7. Select Restart from the dropdown menu below the IP list.
8. The page will reload and You will see the following message at the top of the screen: » Settings updated successfully.

Procedure - Install An Iterative DNS Server on an IP Address

1. Click on the System Services menu if it is not already expanded.
2. Click on the DNS Server submenu if it is not already expanded.
3. Click on the Overview item.
4. You should now be looking at the DNS Management controls in the main content area.
5. Locate the IP Addresses Without DNS Services section.
6. Click the checkbox next to the IP you want to update.
7. Select restart from the dropdown menu below the IP list.
8. The page will reload and You will see the following message at the top of the screen: » Settings updated successfully.

Source: http://www.interworx.com/support/docs/iworx-cp/sysadmin/system-services/dns/howto-iterative-server

Using dnsmasq for DNS and DHCP services

Software for providing DNS and DHCP services have typically come from ISC in the form of BIND and dhcpd.

While these software packages are quite robust and, for the most part, quite secure, there are other alternatives that may work better depending on your situation. For smaller home or office networks, managing BIND and dhcpd may be overkill.

Another solution that provides both services is dnsmasq, which will cache external DNS addresses, provide local DNS names or override external DNS entries, and also provides dynamic IP addresses in the form of DHCP.

It can even provide static IP addresses over DHCP, the same as dhcpd, with the only pre-requisite being the MAC address of the system to assign the static IP to.

Most Linux distributions come with dnsmasq packaged, so it is a simple apt-get, yum, or urpmi away. Otherwise, compiling from source is quite easy. Dnsmasq handles DNS setup differently than BIND and other DNS servers. Everything is configured via a single configuration file, /etc/dnsmasq.conf.

When a request comes in, dnsmasq does not look in zone or similar files; it consults /etc/hosts first and then will look externally for addresses by consulting the name server(s) defined in /etc/resolv.conf. This is a quick and easy way to override external DNS addresses by simply defining them in /etc/hosts on the system that is running dnsmasq.

Dnsmasq also provides DHCP services quite easily. To do so, uncomment and set the following options in /etc/dnsmasq.conf:

expand-hosts

domain=example.com

dhcp-range=192.168.0.50,192.168.0.150,12h

dhcp-option=3,192.168.0.1

This will enable DHCP and set the network domain to "example.com". The DHCP server will offer addresses between 192.168.0.50 and 192.168.0.150 with a lease of 12 hours. Finally, dhcp-option sets the third DHCP option, which sets the default route, pointing to 192.168.0.1 as the router.

There are a lot of dhcp-option values; the configuration file and man pages go through them all with examples.

To set a static IP address for a client, use the dhcp-host keyword:

dhcp-host=11:22:33:44:55:66,foo,192.168.0.10

This will always give the host with the hardware MAC address of 11:22:33:44:55:66 the hostname foo (.example.com) and the IP address 192.168.0.10.

Another useful feature of dnsmasq is that it provides a TFTP server as well. You can enable the TFTP server, point it to the root directory of files to serve, and make use of network booting (PXE).

Dnsmasq provides a number of features that make it a compelling replacement for BIND and dhcpd, or any other DNS or DHCP server software you may be using. It can set default MX records, various caching options, a wide variety of DHCP options, SRV records to provide LDAP information, PTR records, SPF records, and even Zeroconf records.

Source: http://www.zdnetasia.com/techguide/opensource/0,39044899,62048842,00.htm

Another DNS Outage Gives OpenDNS Free Advertising

The folks in the OpenDNS marketing department probably huddle together each morning in a meeting room, praying to the digital gods for ISP DNS problems -- given that every time an ISP has a DNS disruption, the increasingly popular company sees an influx of new customers. Since being launched in 2006 by David Ulevitch, the service has developed an almost cult following, and now offers users a slew of services ranging from Internet filters and URL auto-correction to network monitoring and anti-phishing protection.

The company has certainly been helped each time the nation's two largest ISPs, Comcast and AT&T, temporarily forget how to run their DNS servers (which has happened a number of times over the last few years).

It's not clear how many users switched before Time Warner Cable resolved the problem (their LA network status page seems to indicate the problem is ongoing as of mid-day Friday). While probably not a priority for execs at Time Warner Cable, it does eat away at the revenue generated by DNS redirection advertising, which Time Warner Cable began implementing roughly a year ago. A growing number of ISPs have been implementing DNS redirection ad pages that pop-up when a user mistypes a URL, creating a new profit stream off clumsy typing.

OpenDNS is targeting that same profit stream and so far, and seems to be doing a much better job at it -- by including features that users actually find useful. Earlier this year it was estimated that OpenDNS makes $20,000 per day via their search relationship with Yahoo alone. That's money that could be going into ISP pockets, and you can be sure that eventually, should OpenDNS's popularity continue to grow, carriers will start trying to get wayward DNS users back onto their own servers -- one way or another.

DNS Server, DNS Server Support, DNS Problem, Domain Name System

Source: http://www.dslreports.com/shownews/Another-DNS-Outage-Gives-OpenDNS-Free-Advertising-99648?nocomment=1

Beware of Scoundrel DHCP servers, warns Symantec

DHCP is a mechanism commonly used to automatically assign IP addresses to computers and other devices on a local network. It also provides the client systems with the address of the DNS server they should use.

Using a malicious DNS server to divert traffic to malicious sites is known as pharming. A pharmed user may type a bank URL directly into the browser (as recommended by most financial institutions), but may end up on a fake site designed to capture login details to aid in making fraudulent transactions.

According to Symantec, a Trojan it has dubbed Flush.M sets up a rogue DHCP server on the victim's PC.

When other systems on the LAN make a DHCP request to receive or renew an IP address, Flush.M responds.

If the requesting system receives Flush.M's response before that of the real DHCP server, it will start using the malicious DNS server(s) rather than those specified by the real network administrator.

This can be done by infecting just one PC on the LAN, and it can potentially divert the traffic from any other device, regardless of its operating system.

Furthermore, security software running on those other devices is unlikely to find anything wrong.

Symantec suggests network administrators should watch for DHCP offers originating from addresses other than their DHCP servers, and that they monitor or block traffic to the IP address range 85.255.112.0 to 85.255.127.255, which includes known malicious DNS servers.

If you are suffering from these type of rogue DNS then no need to worry just give us a call at 1-866-914-9838 and talk to a Microsoft certified professionals within a minute & get DNS server support.

Source:itwire.com

Using dnsmasq for DNS and DHCP services

Software for providing DNS and DHCP services have typically come from ISC in the form of BIND and dhcpd. While these software packages are quite robust and, for the most part, quite secure, there are other alternatives that may work better depending on your situation. For smaller home or office networks, managing BIND and dhcpd may be overkill.

Another solution that provides both services is dnsmasq, which will cache external DNS addresses, provide local DNS names or override external DNS entries, and also provides dynamic IP addresses in the form of DHCP. It can even provide static IP addresses over DHCP, the same as dhcpd, with the only pre-requisite being the MAC address of the system to assign the static IP to.

Most Linux distributions come with dnsmasq packaged, so it is a simple apt-get, yum, or urpmi away. Otherwise, compiling from source is quite easy. Dnsmasq handles DNS setup differently than BIND and other DNS servers. Everything is configured via a single configuration file, /etc/dnsmasq.conf.

When a request comes in, dnsmasq does not look in zone or similar files; it consults /etc/hosts first and then will look externally for addresses by consulting the name server(s) defined in /etc/resolv.conf. This is a quick and easy way to override external DNS addresses by simply defining them in /etc/hosts on the system that is running dnsmasq.

Dnsmasq also provides DHCP services quite easily. To do so, uncomment and set the following options in /etc/dnsmasq.conf:

expand-hosts

domain=example.com

dhcp-range=192.168.0.50,192.168.0.150,12h

dhcp-option=3,192.168.0.1

This will enable DHCP and set the network domain to “example.com.” The DHCP server will offer addresses between 192.168.0.50 and 192.168.0.150 with a lease of 12 hours. Finally, dhcp-option sets the third (3) DHCP option, which sets the default route, pointing to 192.168.0.1 as the router. There are a lot of dhcp-option values; the configuration file and man pages go through them all with examples.

To set a static IP address for a client, use the dhcp-host keyword:

dhcp-host=11:22:33:44:55:66,foo,192.168.0.10

This will always give the host with the hardware MAC address of 11:22:33:44:55:66 the hostname foo (.example.com) and the IP address 192.168.0.10.

Another useful feature of dnsmasq is that it provides a TFTP server as well. You can enable the TFTP server, point it to the root directory of files to serve, and make use of network booting.

Dnsmasq provides a number of features that make it a compelling replacement for BIND and dhcpd, or any other DNS or DHCP server software you may be using. It can set default MX records, various caching options, a wide variety of DHCP options, SRV records to provide LDAP information, PTR records, SPF records, and even Zeroconf records.

For small office and home networks, dnsmasq is hard to beat in terms of simplicity and power. The configuration file is loaded with examples and information so, while initial setup for a larger network will require a commitment of some time, it is all very straightforward.

Get the PDF version of this tip here.

Source: blogs.techrepublic.com.com/opensource/?p=293

How to reinstall a dynamic DNS Active Directory-integrated zone

Under the following situations you may want to reinstall the dynamic DNS in a Windows 2000 Active Directory:

	Multiple DNS errors have occurred and methods have been unsuccessful.
	Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. Also, the standard troubleshooting procedures have been unable to locate the exact cause of the problem.
	DNS had been built as a secondary DNS server or files copied from a DNS server do not support dynamic updates.
•	To create a better name space design, such as, splitting the internal and external name spaces.

You have to remove DNS and the DNS cache. Then, you must rebuild one Active Directory DNS server to set up long term stability.

The following steps can remove the defective information in Active Directory-integrated DNS:

	Go to the properties of the DNS zone files and change them to be a "Standard Primary".
	In the %Systemroot%\Winnt\System32\DNS folder, delete the text DNS Zones files.
	Delete the object in Active Directory Users and Computers.
	On the View menu, click Advanced Features, expand the System folder, click MicrosoftDNS, and then delete the zone file objects.
	For each Active Directory-integrated DNS server, repeat steps 1-3.
	In the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of the first Active Directory-integrated DNS server, point it to itself.
	To obtain proper resolution, you must clear the Caching Resolver, which is the DNS client on the DNS server. At the command prompt, type: ipconfig /flushdns.
	Stop and restart DNS and the NetLogon service. Then, remove and re-add the DNS service.

You have completed the process to clear out a DNS server. You must complete the process for any additional DNS servers that you plan to integrate with Active Directory.

The following steps can assist you to build a strong foundation for DNS, Active Directory, and FRS:

	Configure all DNS servers to point to the same DNS server in the domain or forest under TCP/IP properties in DNS: Right-click My Network Places, click Local Area Connection, right-click Local Area Connection, click Properties, select the properties of TCP/IP, and then point all DNS servers to the same DNS server. Also, click the Advanced DNS tab, and then confirm that secondary DNS servers are not configured.
	Re-add the DNS service, or re-add the zones and configure them to be Active Directory integrated. For troubleshooting purposes, you may want to set "Allow Dynamic Updates?" to Yes. Later, you can change this setting to "Allow Only Secure Updates".
	Run the ipconfig /flushdns command, and then run the comand. This command can help you to register your A resource record for DNS as well as your start of authority (SOA). You may want to run this command on any other servers that are critical to you.ipconfig /registerdns NOTE: The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to "start" and the "Start up" type set to "automatic." The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.)
	Active Directory-integrated DNS is now working on your first Dynamic DNS server. You must point additional Dynamic DNS servers to the first DNS server under TCP/IP properties. You must confirm that a full and complete replication process has occurred before you change the TCP/IP properties to point to itself for any additional DNS servers.

Before you configure DNS, you must research the benefits of various DNS name space architectures, such as, internal name spaces, external name spaces, child domains, caching only DNS servers, and reverse look-up zones. Then, you must consider how to develop a design architecture that can work for your organization.

Source:support.microsoft.com/kb/294328

Install a Windows 2003 DNS server

Every network needs a DNS (domain name service) server, right? Windows comes with a DNS server, but it isn’t installed by default. This will tell you how to install a DNS server on a Windows 2003 server.

As an administrator on the system, click Start -> Control Panel -> Add or Remove Programs -> Add/Remove Windows Components.

In the window that opens, click on the Networking Services line (careful not to uncheck the box to the left) and click Details.

Find the line for Domain Name System (DNS), click the checkbox on its left, and Click OK. Click Next.

If Windows asks for a CD-ROM, do as it requests. When it is done, click Finish and you’ll have your very own DNS server.

Source:tech-recipes.com

MintDNS 2006 Tutorials

MintDNS 2006 is a fully featured server suite that allows you to run your own enterprise level DDNS Server.

Supporting both Dynamic and Static DNS MintDNS also supports several standard update protocols. Which enables support for many existing third party IP address update clients, and many hardware(Firmware) clients. This allows you to provide time tested reliable Dynamic DNS services to most all internet connected computers, or even remote cameras.

MintDNS is completely template based, so the look and feel of your DNS service can easily be adapted to match your existing website or modified to suite your specific needs.

We have provided Dynamic DNS solutions for more than 5 years. MintDNS 2006 Enterprise is our latest product and is also the most dependable, feature rich and scaleable product we have ever offered.

If your interested in custom development you may like to know that MintDNS is almost completely open sourced allowing you to easily expand on the existing system to meet any special needs your company may have. The advantage to having an established time tested platform to build on could save months of development time.

The all new web based administration console gives you instant access to advanced user management features, statistics charts, accounting features and complete control over server settings.