|
-
January 2nd, 2003, 01:49 PM
#1
Mystery DNS server?
I've got an issue that's really got me confused.
I noticed on this network here a long time ago, certain print servers had been assigned names like "insect.com" or "arachnid.net" or weird things like that (having to do with bugs). I assumed some user got creative. whatever, i paid it no mind.
But now I am seeing that all over the network. All my computer seem to be assigned some weird domain name. My servers are named
buggate.exterminate.com
envirway.com
nimocks.org
exterrathemovie.com
if i do a nslookup on any of these, they point to ns.bugs.com or bugs.com. but i can't seem to figure out anything past this. I'm on a private lan with internet connectivity via a firewall router. I have a windows 2000 server as my dc and dns server, and the configuration is very whitebread. I have one exchange server, and the applicable ports are opened through the firewall for internet access to the mail ports. my clients and servers have only one dns entry, and that is to my 2000 dns server. i don't even know how it can resolve these weird names.
very confused. not even sure what to think!
-
January 2nd, 2003, 04:55 PM
#2
Registered User
I would do the obvious and scan for viruses.
Once that has been ruled out consider the other possibility. Someone has installed a DNS program. (We found a good one on the net that changed a client into a full blown DNS server).
Also double check your DNS server and the clients. Its possible they may somehow be pointing to another machine outside the firewall (very unlikely).
I'm really not sure what else you could check except maybe the firewall/router to make sure no one has gained access to it.
Good Luck.
-
January 2nd, 2003, 05:41 PM
#3
we've got tight virus monitoring, so i've ruled that out.
i was actually wondering whether there might be some kind of client acting as a dns server. question is, i've got about 40 clients, spread out in four buildings. is there a way to probe for dns servers? i think that might be on the right track. the first time i noticed this happening was i think around the time a new guy started who's pretty computer proficient.
-
January 2nd, 2003, 05:45 PM
#4
Registered User
Run a port scan on your entire network at port 53. When you get a hit check that machine. I'd still suspect a virus. Antivirus software only catches what's known.
-
January 2nd, 2003, 06:16 PM
#5
Registered User
perhaps a global network logging tool may provide you with more information something like Active Network Monitor
About Active Network Monitor
Active Network Monitor is a tool for the day-to-day monitoring of computers in the network. Active Network Monitor runs under Windows NT/2000/XP and allows Systems Administrators to gather information from all the computers (even from the Windows 9x/Me computers) in the network without installing server-side applications on these computers. Active Network Monitor provides the powerful technology of storing and comparing received data. Administrators can make "snapshots" of the systems for future comparison and notation of changes.
Active Network Monitor has a flexible plug-in based architecture that allows you to plug in necessary modules on demand. Each module (plug-in) performs a task and displays retrieved information in its own window. Active Network Monitor ships with a predefined, constantly growing list of plug-ins, including plug-ins for monitoring services, devices, installed applications, disks, shared resources, hardware resources (IRQs, I/O, DMA and Memory), users, local groups, global groups and so on.
-
January 2nd, 2003, 07:44 PM
#6
Registered User
Definetly run a port scan.
Also try to get some network monitoring software, (we used Fluke at school at it told us what packets, and what programs, etc...) were on each client machine.
You can try asking this person politely as well if they have installed an DNS programs lately.
Also if this person uses the same computer daily, log in as the administrator and check what programs have been installed recently if they deny any wrongdoing and you have eliminated all the other workstations.
-
January 3rd, 2003, 08:19 AM
#7
Registered User
Here is a GREAT tool we use here for managing our entire WAN of 400+ clients spanning 4 COUNTRIES!!
Ideal Administration
You can even set up an access database from within the program and tell it to have ALL the client report all installed software to it and it puts it in the database... you then build a query and can run reports.
For port scanning of you internal network... and general internal security stuff...
Languard
another AWSOME product.
(Both have FULL FUNCTIONING 30 DAY DEMOS!!)
Good Luck.
-----------
Oh yea... check you win2k DNS server for recursive look up values... it might be set to send all request to an outside DNS server or to another one on the LAN. 
one more thing... a "clever" user could be testing his "hacking" tools... by using DNS poisoning tools. search for that on google... just beware of the site that host appz or info in it... usually sponsored by porn.
You know you want a crabby patty!!
-
January 3rd, 2003, 08:16 PM
#8
ok, great suggestions, and these look like awesome tools. I'm trying Languard and Active Network Monitor. I think the computer in question is turned off for the day, so I'll try again tomorrow. I'll let you know what I find out!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks