Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Tue, 1 Feb 2000 23:41:53 -0500
SSANS has re-arranged their GIAC site. The relevant stuff is in http://www.sans.org/y2k/0126stutzman.htm ========================================================================== Submitted regarding a personal experience regarding Dynamic DNS updates. I have noticed (while running W2K Beta 3 and RC2) that Windows 2000 Professional will try and dynamically update your DNS server with the host name you give your computer upon setting up the network information. In fact it appears (although I haven't see the final version yet) based on the RC2 and Beta 3 that this feature (dynamic updates to the DNS) is a "on by default" option. To find this "feature" follow these steps: Open your network control panel Select TCP/IP and view its properties Select the "advanced button" in this window Go to the DNS tab Near the very bottom of the DNS tab you will see a option called "Register this connection Address in DNS" this is checked by default. Now try not to picture a whole company or university switching at once... or better yet, dorms since students generally are the first adopters of new technology. That is a rather frightening thought if I do say so myself. We discovered this problem accidentally here on campus and because this came up right before y2k, I totally forgot about it. In looking through my log files one day I discovered a known IP address trying to change the DNS, and later the same person with known IP from his house was trying to change the DNS for his home machine. Only then did I make the connection with that little checked option. I would not be surprised if it is included as a default option in the final release. I was not able to check to see if this option was on by default in the final release or in the other version of Windows 2000. Just a heads up! @_@ ========================================================================= Rob Quinn <rquinn () SEC SPRINT NET> on 2000/01/31 16:19:31 Please respond to Rob Quinn <rquinn () SEC SPRINT NET> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Re: DNS update queries: another sort of suspicious activity.
You are probably going to find a lot more of these entries. By default, Windows 2000 tries to send a DNS update to its known DNS server whenever it starts up with a new IP from DHCP or finds its name to IP lookup entry not in the local DNS zone.
The big question is, does this mean Win2000's DNS server defaults to allowing dynamic updates?
This is MS implementation of dynamic DNS. There is some more details on SANS GIAC pages http://www.sans.org/giac.html
`htm'. But which link do I want? -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn () sec sprint net | | Sprint Corporate Security | <HR NOSHADE> <UL> <LI>application/octet-stream attachment: att1.eml </UL>
Current thread:
- Re: DNS update queries: another sort of suspicious activity. Flynn, Harold M. III (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. H D Moore (Feb 10)
- <Possible follow-ups>
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Kevin (Sparty) Broderick (Jan 31)
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Feb 01)
- Re: DNS update queries: another sort of suspicious activity. Data_surge (Feb 03)