Re: DNS update queries: another sort of suspicious activity.

[Bill_Royds () PCH GC CA (Bill Royds)]

SSANS has re-arranged their GIAC site.
The relevant stuff is in http://www.sans.org/y2k/0126stutzman.htm
==========================================================================
Submitted regarding a personal experience regarding Dynamic DNS updates.
I have noticed (while running W2K Beta 3 and RC2) that Windows 2000 Professional
 will try and dynamically update your DNS server with the host name you give
your computer upon setting up the network information.

In fact it appears (although I haven't see the final version yet) based on the
RC2 and Beta 3 that this feature (dynamic updates to the DNS) is a "on by
default" option.

To find this "feature" follow these steps:

Open your network control panel
Select TCP/IP and view its properties
Select the "advanced button" in this window
Go to the DNS tab
Near the very bottom of the DNS tab you will see a option called "Register this
connection Address in DNS" this is checked by default.
Now try not to picture a whole company or university switching at once... or
better yet, dorms since students generally are the first adopters of new
technology. That is a rather frightening thought if I do
say so myself.

We discovered this problem accidentally here on campus and because this came up
right before y2k, I totally forgot about it. In looking through my log files one
 day I discovered a known IP address trying to change the DNS, and later the
same person with known IP from his house was trying to change the DNS for his
home machine. Only then did I make the connection with that little checked
option.

I would not be surprised if it is included as a default option in the final
release. I was not able to check to see if this option was on by default in the
final release or in the other version of Windows 2000.

Just a heads up! @_@
=========================================================================

Rob Quinn <rquinn () SEC SPRINT NET> on 2000/01/31 16:19:31

Please respond to Rob Quinn <rquinn () SEC SPRINT NET>

 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)

 Subject: Re: DNS update queries: another sort of suspicious
          activity.

> You are probably going to find a lot more of these entries. By default,
> Windows 2000 tries to send a DNS update to its known DNS server whenever it
> starts up with a new IP from DHCP or finds its name to IP lookup entry not in
> the local DNS zone.

 The big question is, does this mean Win2000's DNS server defaults to allowing
dynamic updates?

> This is MS implementation of dynamic DNS. There is some more details on SANS
> GIAC pages http://www.sans.org/giac.html

 `htm'. But which link do I want?

--
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                    rquinn () sec sprint net |
|                                                Sprint Corporate Security |


<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: att1.eml
</UL>