DNS Snooping Defense

Hello,
Using a vulnerability tool, I have discovered I need to remedy DNS Snooping potential.
http://support.microsoft.com/kb/2678371
I understand that one fix is to disable recursion. I also understand that, if I disable recursion, I will need to setup forwarders in order for anyone in my LAN to reach the outside world. At least, that's the idea.
Here's where I get confused, though. I have a domain that is operating within a subnet of a larger network. I have no control over this network, and just barely have indirect control over how things are set up inside.
A DHCP server, which I do not control, issues IP addresses, DNS addresses, etc, based on the MAC address.
If I query what DNS server I'm using, I get two responses - neither of which are the DNS server that I actually operate as part of my Domain - which is hosted on my domain controller.
So my real question is: If my workstaitons report DNS entries for DNS servers that aren't my own, will I still break things if I disable recursion on the local DNS server?
Also, does this imply that when I resolve a local host name (say COMPUTER1.MYDOMAIN.BIGGERDOMAIN.COM), it goes to one of these "foreign" DNS servers first, which then directs the request back to my local DNS server? Still just a student here.
Thanks!
M.

So my real question is: If my workstaitons report DNS entries for DNS servers that aren't
my own, will I still break things if I disable recursion on the local DNS server?
No as long as forwarders are properly set. Mainly configure your ISP DNS servers as forwarders. If you manage multiple domains internally then you can setup a conditional forwarder.
Also, does this imply that when I resolve a local host name (say COMPUTER1.MYDOMAIN.BIGGERDOMAIN.COM),
it goes to one of these "foreign" DNS servers first, which then directs the request back to my local DNS server? Still just a student here.
Assuming that your workstations use your internal DNS server for resolution then:
The internal DNS server will respond directly if it is authoritative on the DNS zone (Means that the zone is hosted on it)
The internal DNS server will forward the request to the DNS server of the specific domain if a conditional forwarder is set. Once it receives an answer then it will cache it and respond to the client
The internal DNS server will forward the request to your ISP DNS servers for domains on which it is not authoritative or have conditional forwarders set. Once it receives an answer then it will cache it and respond to the client
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Similar Messages

APPLETV and mDNS - Turn OFF mDNS it works, Turn it on it doesn´t?!?!?!?

Hi guys!
I´m having a strange morning. We switched from 7.2.x code to 7.4.121.0 on our 5508 WLC. And Today I get a call that the apple tv´s aren´t visible any more.
Quick check into the MDNS profiles, I see each and every one. Quick check on my iphone to my test appletv - that works too. But it is the only ATV I can actually see.
- I can only see the atv when it is connected to the same Accesspoint, if I roam it vanishes.
- If I turn OFF the MDNS Settings - I see every atv in the building!!!
I configured everything according to: http://www.cisco.com/c/en/us/td/docs/wireless/technology/bonjour/Bonjour74.pdf but somehow it is not working.
Settings:
(yes the mDNS global is enabled in the tests ;) )
I can see the ATV´s on the WLC:
When it is enabled I can only see the Apple tv that is connected wirelessly to the same AP I´m connected to! So none of the wired devices!
I have enabled the DNS Snooping in the advanced settings for the WLAN. I have also found an extra MDNS Snooping for the Interfaces itself, which wasn´t activated. But activating it, didn´t help a thing. I also tried deactivating the VLAN Multicast feature that was needed in 7.2.x but also to no avail.
HELP! Any Idea what might be running amok here? Everything was working without a hitch in 7.2.x and I thought the 7.4.121.0 would be a blast, because easier, better and such :D Thanks alot for your help!

o.k. thats abit stupid. I had a brain freeze. But just to follow up on this:
If your MDNS Profile that is used for the snooping DOESN´T have the airtunes part included. It won´t work. Just because the general option is choosen, doesn´t do diddly swat for the wlan itself. Guess thats an error I just had to make ;)
Problem solved!

W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

Hi everyone.
How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
DNS Server Cache Snooping Remote Information Disclosure
Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.
Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
employees, consultants and potentially users on a guest network or WiFi connection if supported.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
Solution:
Contact the vendor of the DNS software for a fix.
Plugin output:
Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
of internet DNS names..but this is not a good solution for us.
I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
Any suggestion will be really appreciated!!
thx!!

That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
or not, but just wanted to add that:
Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
http://support.microsoft.com/kb/813964
Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
============
To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
Set the MaxCacheTtl to 0 in the registry or use Dnscmd
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
   Value:     MaxCacheTtl
   Type:     DWORD
   Default: NoKey (Cache for up to one day)
   Function: Set maximum caching TTL.
MaxCacheTtl
Type: DWORD
Default value: 0x15180 (86,400 seconds = 1 day)
Function: Determines how long the DNS server can save a record of a
recursive name query.
You can use the MaxCacheTtl registry entry to specify how long the DNS
server can save a record of a recursive name query.
If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
any records.
The DNS server saves the records of recursive name queries in a memory cache
so that it can respond quickly to new queries for the same name. Records are
deleted from the cache periodically to keep the cache content current. The
interval when the records remain in the cache typically is determined by the
value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
establishes the maximum time that records can remain in the cache. The DNS
server deletes records from the cache when the value of this entry expires,
even if the value of the TTL field in the record is greater.
Change method
To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
included with the Windows 2000 Support Tools. The change is effective
immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value
of the MaxCacheTtl entry by editing the registry, the changes are not
effective until you restart the DNS server.
Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
to the registry. You can add it by editing the registry or by using a
program that edits the registry.
The MaxCacheTtl entry does not affect Windows Internet Name Service
(WINS) data that is saved in the DNS memory cache. WINS data is saved until
the Cache Timeout Value on the WINS record expires. To view or change the
Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
zone name, click Properties, click the WINS tab, and then click Advanced.
===============================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

DNS / BIND - Can I configure primary and standby forwarders?

Hi all,
I have on Solaris 10 (x86) a DNS server (BIND 9.3.6-P1) that relies exclusively on two “forwarders”: 155.28.144.13and 154.23.134.32.
The configuration is as follow:
# cat /etc/named.conf
acl "CSClan" { 192.168.4.0/24; 192.168.7.0/24; }; //CSC internal LAN ip address range
options {
        directory "/var/named";
        forward only;
        forwarders {
                155.28.144.13;
                154.23.134.32;
             allow-query { "localnets"; };
# cat /etc/resolv.conf
nameserver 127.0.0.1
When I check with snoop, I can see requests sometimes to one forwarder, sometimes to the other.
Is it possible to configure DNS to use primarily one forwarder?
Thanks in advance for your support.
Best Regards,
Rui Vilão

In 10g, dataguard started to support different binaries on primary and standby database servers with the same OS family. For example Microsoft Windows 64-bit on primary and Microsoft Windows 32-bit or Microsoft Windows 64-bit for AMD on standby database server. However with 11g, dataguard also supports different OS on primary and standby servers
Role Transitions for Data Guard Configurations Using Mixed Oracle Binaries [ID 414043.1]
Data Guard Support for Heterogeneous Primary and Physical Standbys in Same Data Guard Configuration [ID 413484.1]

DHCP Snooping WLC

Hi,
I would like to DHCP snooping on the WLC.
Or a method to block DHCP pirate and authorized my DHCP.
Best Regards,
Julien Hernandez.

Here the client 192.168.0.0 :
(Cisco Controller) >show client detail 1c:99:4c:6f:c6:96
Client MAC Address............................... 1c:99:4c:6f:c6:96
Client Username ................................. N/A
AP MAC Address................................... 44:ad:d9:57:fd:20
AP Name.......................................... AP-INDE-106
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 44:ad:d9:57:fd:20
Connected For ................................... 8127 secs
Channel.......................................... 11
IP Address....................................... 192.168.0.155
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 8
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 15000
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 5.5,11.0,6.0,9.0,12.0,18.0,
............................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 321
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 2526655
Number of Bytes Sent....................... 2425132
Total Number of Bytes Sent................. 2425132
Total Number of Bytes Recv................. 2526655
Number of Bytes Sent (last 90s)............ 64
Number of Bytes Recv (last 90s)............ 6764
Number of Packets Received................. 25105
Number of Packets Sent..................... 5996
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 1018
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 56
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -60 dBm
Signal to Noise Ratio...................... 24 dB
Client Rate Limiting Statistics:
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP-INDE-108(slot 0)
antenna0: 5364 secs ago.................. -74 dBm
antenna1: 5364 secs ago.................. -87 dBm
AP-INDE-106(slot 0)
antenna0: 5364 secs ago.................. -67 dBm
antenna1: 5364 secs ago.................. -57 dBm
AP-INDE-106(slot 1)
antenna0: 5363 secs ago.................. -82 dBm
antenna1: 5363 secs ago.................. -87 dBm
AP-INDE-111(slot 0)
antenna0: 5364 secs ago.................. -94 dBm
antenna1: 5364 secs ago.................. -97 dBm
AP-INDE-119(slot 0)
antenna0: 5364 secs ago.................. -87 dBm
antenna1: 5364 secs ago.................. -91 dBm
AP-INDE-105(slot 0)
antenna0: 5364 secs ago.................. -68 dBm
antenna1: 5364 secs ago.................. -79 dBm
AP-INDE-105(slot 1)
antenna0: 5363 secs ago.................. -90 dBm
antenna1: 5363 secs ago.................. -87 dBm
AP-INDE-109(slot 0)
antenna0: 5364 secs ago.................. -75 dBm
antenna1: 5364 secs ago.................. -85 dBm
AP-INDE-109(slot 1)
antenna0: 5364 secs ago.................. -83 dBm
antenna1: 5364 secs ago.................. -78 dBm
AP-INDE-121(slot 0)
antenna0: 14490 secs ago................. -91 dBm
antenna1: 14490 secs ago................. -92 dBm
AP-INDE-126(slot 0)
antenna0: 8132 secs ago.................. -89 dBm
antenna1: 8132 secs ago.................. -92 dBm
AP-INDE-126(slot 1)
antenna0: 38197 secs ago................. -93 dBm
antenna1: 38197 secs ago................. -83 dBm
AP-INDE-116(slot 0)
antenna0: 5364 secs ago.................. -61 dBm
antenna1: 5364 secs ago.................. -50 dBm
AP-INDE-116(slot 1)
antenna0: 5364 secs ago.................. -82 dBm
antenna1: 5364 secs ago.................. -86 dBm
AP-INDE-112(slot 0)
antenna0: 5364 secs ago.................. -71 dBm
antenna1: 5364 secs ago.................. -71 dBm
AP-INDE-112(slot 1)
antenna0: 5364 secs ago.................. -88 dBm
antenna1: 5364 secs ago.................. -90 dBm
AP-INDE-107(slot 0)
antenna0: 8129 secs ago.................. -91 dBm
antenna1: 8129 secs ago.................. -85 dBm
AP-INDE-118(slot 0)
antenna0: 5364 secs ago.................. -94 dBm
antenna1: 5364 secs ago.................. -91 dBm
AP-INDE-114(slot 0)
antenna0: 5364 secs ago.................. -93 dBm
antenna1: 5364 secs ago.................. -85 dBm
AP-INDE-114(slot 1)
antenna0: 38197 secs ago................. -93 dBm
antenna1: 38197 secs ago................. -91 dBm
AP-INDE-123(slot 0)
antenna0: 5364 secs ago.................. -72 dBm
antenna1: 5364 secs ago.................. -83 dBm
AP-INDE-103(slot 0)
antenna0: 5364 secs ago.................. -91 dBm
antenna1: 5364 secs ago.................. -83 dBm
AP-INDE-104(slot 0)
antenna0: 5364 secs ago.................. -87 dBm
antenna1: 5364 secs ago.................. -90 dBm
AP-INDE-102(slot 0)
antenna0: 5364 secs ago.................. -90 dBm
antenna1: 5364 secs ago.................. -87 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:
Client Dhcp Required: True
Allowed (URL)IP Addresses
(Cisco Controller) >show client detail ec:59:e7:e9:e5:68
Client MAC Address............................... ec:59:e7:e9:e5:68
Client Username ................................. N/A
AP MAC Address................................... 44:ad:d9:57:fd:20
AP Name.......................................... AP-INDE-106
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 44:ad:d9:57:fd:20
Connected For ................................... 3043 secs
Channel.......................................... 11
IP Address....................................... 192.168.0.162
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 4
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 15000
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 5.5,11.0,6.0,9.0,12.0,18.0,
............................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
Audit Session ID................................. none
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 321
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 1
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 13499
Number of Bytes Sent....................... 7662
Total Number of Bytes Sent................. 7662
Total Number of Bytes Recv................. 13499
Number of Bytes Sent (last 90s)............ 0
Number of Bytes Recv (last 90s)............ 0
Number of Packets Received................. 184
Number of Packets Sent..................... 69
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 61
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -70 dBm
Signal to Noise Ratio...................... 18 dB
Client Rate Limiting Statistics:
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP-INDE-120(slot 0)
antenna0: 36159 secs ago................. -98 dBm
antenna1: 36159 secs ago................. -97 dBm
AP-INDE-115(slot 0)
antenna0: 11075 secs ago................. -96 dBm
antenna1: 11075 secs ago................. -96 dBm
AP-INDE-108(slot 0)
antenna0: 188 secs ago................... -96 dBm
antenna1: 188 secs ago................... -95 dBm
AP-INDE-106(slot 0)
antenna0: 188 secs ago................... -78 dBm
antenna1: 188 secs ago................... -67 dBm
AP-INDE-111(slot 0)
antenna0: 1451 secs ago.................. -98 dBm
antenna1: 1451 secs ago.................. -95 dBm
AP-INDE-119(slot 0)
antenna0: 188 secs ago................... -87 dBm
antenna1: 188 secs ago................... -95 dBm
AP-INDE-122(slot 0)
antenna0: 73165 secs ago................. -95 dBm
antenna1: 73165 secs ago................. -95 dBm
AP-INDE-105(slot 0)
antenna0: 188 secs ago................... -85 dBm
antenna1: 188 secs ago................... -86 dBm
AP-INDE-109(slot 0)
antenna0: 332 secs ago................... -91 dBm
antenna1: 332 secs ago................... -89 dBm
AP-INDE-121(slot 0)
antenna0: 2708 secs ago.................. -98 dBm
antenna1: 2708 secs ago.................. -96 dBm
AP-INDE-126(slot 0)
antenna0: 215 secs ago................... -84 dBm
antenna1: 215 secs ago................... -86 dBm
AP-INDE-116(slot 0)
antenna0: 188 secs ago................... -61 dBm
antenna1: 188 secs ago................... -61 dBm
AP-INDE-112(slot 0)
antenna0: 187 secs ago................... -83 dBm
antenna1: 187 secs ago................... -85 dBm
AP-INDE-107(slot 0)
antenna0: 188 secs ago................... -89 dBm
antenna1: 188 secs ago................... -90 dBm
AP-INDE-118(slot 0)
antenna0: 188 secs ago................... -95 dBm
antenna1: 188 secs ago................... -98 dBm
AP-INDE-114(slot 0)
antenna0: 187 secs ago................... -83 dBm
antenna1: 187 secs ago................... -85 dBm
AP-INDE-113(slot 0)
antenna0: 38981 secs ago................. -94 dBm
antenna1: 38981 secs ago................. -95 dBm
AP-INDE-123(slot 0)
antenna0: 187 secs ago................... -73 dBm
antenna1: 187 secs ago................... -65 dBm
AP-INDE-117(slot 0)
antenna0: 11013 secs ago................. -94 dBm
antenna1: 11013 secs ago................. -97 dBm
AP-INDE-103(slot 0)
antenna0: 187 secs ago................... -70 dBm
antenna1: 187 secs ago................... -80 dBm
AP-INDE-104(slot 0)
antenna0: 214 secs ago................... -95 dBm
antenna1: 214 secs ago................... -91 dBm
AP-INDE-102(slot 0)
antenna0: 215 secs ago................... -87 dBm
antenna1: 215 secs ago................... -88 dBm
AP-INDE-100(slot 0)
antenna0: 11014 secs ago................. -96 dBm
antenna1: 11014 secs ago................. -96 dBm
AP-INDE-101(slot 0)
antenna0: 11013 secs ago................. -96 dBm
antenna1: 11013 secs ago................. -95 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:
Client Dhcp Required: True
Allowed (URL)IP Addresses

Ping blocks when looking up reverse dns PTR/RR

Hi!
If someone could shed some light on this behaviour, it would really make my day!
When using ping -s to ping an ip address that doesn't have a PTR RR, ping will timeout until dns timeout.
This would be fine, except that when the replys do show, it's response times are off the roof:
PING 80.79.163.74: 56 data bytes
64 bytes from 80.79.163.74: icmp_seq=0. time=5.65 ms
64 bytes from 80.79.163.74: icmp_seq=1. time=1.38e+05 ms
64 bytes from 80.79.163.74: icmp_seq=2. time=1.37e+05 ms
64 bytes from 80.79.163.74: icmp_seq=3. time=1.36e+05 ms
64 bytes from 80.79.163.74: icmp_seq=4. time=1.35e+05 ms
64 bytes from 80.79.163.74: icmp_seq=5. time=1.34e+05 ms
64 bytes from 80.79.163.74: icmp_seq=6. time=1.33e+05 ms
64 bytes from 80.79.163.74: icmp_seq=7. time=1.32e+05 ms
64 bytes from 80.79.163.74: icmp_seq=8. time=1.31e+05 ms
64 bytes from 80.79.163.74: icmp_seq=9. time=1.30e+05 ms
64 bytes from 80.79.163.74: icmp_seq=10. time=1.29e+05 ms
64 bytes from 80.79.163.74: icmp_seq=139. time=236. ms
64 bytes from 80.79.163.74: icmp_seq=140. time=5.92 ms
however, snooping while ping is busy with dns shows that packages do get transmitted and recieved, ping without -s works fine, ping -sn also works fine.
I can reproduce this on 8,9 and 10 of solaris, so I assume this is expected behaviour, although I cannot find any information about this issue, do you know more?
br, Christofer.
Edited by: oholiks on Jun 30, 2008 1:03 AM
added ping example.

Try to debug this:
nslookup -debug hostname
user@server# nslookup -debug aaa.aaa.aaa.aaa vld-dc-1
Server: domain-controller-1
Address: xxx.xxx.xxx.xxx#yy
QUESTIONS:
aaa.aaa.aaa.aaa.in-addr.arpa, type = PTR, class = IN
ANSWERS:
AUTHORITY RECORDS:
-> aaa.aaa.aaa.in-addr.arpa
origin = domain-controller-1
mail addr = admin.ru
serial = 26
refresh = 900
retry = 600
expire = 86400
minimum = 900
ADDITIONAL RECORDS:
** server can't find aaa.aaa.aaa.aaa. in-addr.arpa: NXDOMAIN
The solutions:
1) add correct dns records to resolve host names
2) add IP in /etc/hosts

DNS Server Infrastructure Design

Good day IT Folks,
Currently I'm on the planning stage of designing DNS infrastructure of our company. I've read a lot of reading materials available online about DNS. According to what I've gathered, two (2) DNS server is the minimum and three (3) is the recommended for the
usual set up of DNS. What I want to my DNS infrastructure is to have two (2) DNS servers for my LAN (internal network) and one (1) DNS for my LAN-to-Internet connection (external network).
The two (2) DNS servers will resolve LAN request and will forward requests to the another one (1) DNS server if internet-related sites is requested. I would like to ask for your help to give me insights how am I going to do this, where to start and what
are the things I should consider.
Thanks.
akosijesyang - the conqueror

You could go with a secure design such as the following (click on it to open a larger image in a new page):
See if the following threads help:
Technet Thread: Problem with Windows 2008 R2 Dns Server getting SERVFAIL resolving one domain, 1/18/2012
Includes a secure DNS forwarder in the DMZ image
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b00fc041-ba44-45b6-a8a1-a00374a20edf
Technet Thread: DNS Structure to rebuild efficiently - Question about the resolution process, 10/27/2011
Includes a secure DNS forwarder in the DMZ image
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3a5fb6ac-6ab7-45b1-abab-e0d928a7e06c
Good discussion on DMZ secured resolver design, and the use of "Unbound DNS Resolver (http://unbound.net/) to use on your DMZ DNS server instead of Windows DNS. (Note: IMHO, for AD, I would rather use Windows DNS. - Ace)
Technet Thread: W2003 DNS cache snooping vulnerability for PCI-DSS compliance, 10/10/2011
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/67e9189b-606a-40d2-9944-8b4c7d084017/
And dealing with internal and external names:
Can't Access Website with Same Name (Split Zone or no Split Brain)
Published by Ace Fekay, MCT, MVP DS on Sep 4, 2009 at 12:11 AM 1278 0
Note - In an AD same name as the external name (split zone) scenario, if you don't want to use WWW in front of URL, such as to access it by
http://domain.com, then scroll down to "So you don't want to use WWW in front of the domain name"
http://msmvps.com/blogs/acefekay/archive/2009/09/04/split-zone-or-no-split-zone-can-t-access-internal-website-with-external-
name.aspx
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.

Troubleshooting DNS

We're running Sun Solaris 8 on our DNS servers with bind 9.1.5
We are experiencing intermittent DNS issues where our users are reporting intermittentproblems with name resolution. They're telling me that in some cases the name lookups seem to stop responding.
I'm new to troubleshooting this type of problem. I too have noticed that there is a problem because I had to restart named on 2 of our 4 DNS servers just this morning.
Before I spend too much more time going through the logs, can anyone tell me which logs give me the information that can start me down a logical path of troubleshooting these issues? We've got logs in /var/log called biglog, dsmerror, and messages. Then there's logs in /var/log/named called named.crit, named.debug, named.info, and queries.
In addition to the logs, there's snoop port 53, which gives me info that doesn't seem to appear in any of the other logs.
The big question is where do I start down this path?
Thanks in advance, Penny

The purpose of setting up a VLAN is to group certain network devices and only allow these devices to communicate to each other. Only computers or devices which are the members of that VLAN will be able to successfully communicate. Because the workstation is on a different VLAN with that of the DNS/DHCP or RRAS, it is possible that this is the reason why they can’t communicate. Maybe try to member that DNS/DHCP or RRAS also to the VLAN of the workstation and see if it will work.
Other than this, I suggest contacting Cisco Tech support to further look into your concern. I believe this unit belongs to the business series devices that Cisco is now supporting. Try to go to this link for the other business series devices and the site where you can get hold of Cisco for support:
http://www.cisco.com/web/products/linksys/index.html

Cisco ASA unable to inspect Microsoft DNS

Hi All,
I have setup Botnet Filter and is working good except for one thing.
While it can inspect DNS packets for clients that have DNS Servers outside my network (for example OpenDNS) it can't inspect packets from my internal DNS Infrastructure that is a Microsoft DNS, the forwarders setup on my DNS servers are Google's and OpenDNS.
My DNS Servers sits on the same subnet of the client and passes through the ASA so I wonder why the ASA is not able to catch their traffic up.
Here is the relevant parts of the config
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside classify-list botnet-exclude
dynamic-filter drop blacklist interface outside action-classify-list botnet-excl ude threat-level range very-low very-high
dynamic-filter ambiguous-is-black
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect dns migrated_dns_map_1
class class-default
user-statistics accounting
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
Does somebody have any clues?

Missed a little part of config
service-policy global_policy global
service-policy botnet-policy interface outside

DDOS DNS

Experiencing what I believe are DDOS attacks on an ASA5510 running Ver 8.3(2)
I have set up threat detection and shunning
threat-detection basic-threat
threat-detection scanning-threat shun duration 36000
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 15 burst-rate 25 average-rate 25
dynamic-filter use-database
dynamic-filter enable
dynamic-filter drop blacklist
policy-map Outside-policy
class Outside-class
inspect dns dynamic-filter-snoop
set connection conn-max 20 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 5
set connection timeout idle 1:00:00 reset
class Outside-class1
inspect dns dynamic-filter-snoop
set connection conn-max 20 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 10
set connection timeout idle 1:00:00 reset
threat-detection basic-threat
threat-detection scanning-threat shun duration 36000
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 15 burst-rate 25 average-rate 25
dynamic-filter use-database
dynamic-filter enable
dynamic-filter drop blacklist
created a policy-map
policy-map Outside-policy
class Outside-class
inspect dns dynamic-filter-snoop
set connection conn-max 20 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 5
set connection timeout idle 1:00:00 reset
class Outside-class1
inspect dns dynamic-filter-snoop
set connection conn-max 20 embryonic-conn-max 10 per-client-max 10 per-client-embryonic-max 10
set connection timeout idle 1:00:00 reset
1.) Are these looking correct?
2.) Is there anything else that I can do via configuration that would ameliorate these attacks?
3) Is there anything else besides looking into getting AIP-SSM?
TIA for any assistance

Hello.
As a DDOS prevention you may use either a DDOS prevention service from third party, or just try to protect your subnets/hosts with
Remote Triggered Black Hole Filtering
https://tools.ietf.org/html/rfc5635
Also if you faced any issue with network link utilization (inside your network) - deploy QoS or upgrade the links.
PS: I wonder where you were not able to access your BGP routers?! Are they not fast enough to process 1G of data? Don't you protect management and control plane on the network devices?

Open DNS follow-up report

Interestingly, after a very positive experience by adding the open DNS numbers 208.67.222.222 and 208.67.220.220, I found today that every time I tried to open Safari it knocked me offline. So I've now resorted back to the number originally assigned to me.
What's going on with Safari?

Jake,
One Verizon DSL account; one Westell 6100 modem
Check with Verizon and find out what the max download / upload speeds should be.
If this is the plan you purchased: http://www22.verizon.com/residential/highspeedinternet/
*"And we’re constantly looking for ways to make our DSL faster—recently upgrading our Starter plan to 1 Mbps* download and our Turbo plan to 7.1 Mbps."*
1 Mbps download / 7.1 Mbps is hardly high speed.
You can check your upload/download speeds here. http://www.speedtest.net/
To realize faster download and uploads speeds you would need to upgrade your service.
This is more then just a DNS issue.

Problem with DNS and/or Virtual Host (works from inside, not from outside)

I am running several web sites (as virtual hosts) successfully on one Xserve (192.168.200), which are accessible internally and from the Internet (via forwarding port 80 on our firewall).
Now I am trying to add another web site (newmini.domain.com), which however is running on a Mac mini (also on the same subnet as the Xserve) at 192.168.100. What I did is make an additional entry under the Xserve's DNS for the domain (domain.com) (+ Machine..., pointing to 192.168.0.100). (I also made the necessary changes to the Mac mini's httpd and hosts configuration--no problem there).
Now, here's the strange thing: All computers on the subnet, whose DNS points to the Xserve, can see and browse newmini.domain.com fine. No problem. The computers ask the Xserve for the IP of the host in question, the Xserve says, "192.168.100", the request goes to the Mac mini, and it serves the web site as expected.
But this doesn't happen if the request comes from the Internet. Instead of seeing the Mac mini, the client sees the default web site of the Xserve... So it appears that somewhere, the virtual host part of the HTTP request is lost between our firewall and the Xserve.
Any ideas? Thanks.

It's not going to.
You say you've setup port forwarding on the firewall. Port forwarding only cares about the port number (80). It knows nothing about the nature of the request (e.g. the hostname that the web request is for). Therefore all extenal connections on port 80 get sent to the XServe. The newmini doesn't see the traffic at all.
If you only have a single public IP address you can only forward port 80 traffic to a single machine. Your options are to either use a different port number, or configure the XServe to proxy the connection to the mini (so now the traffic goes router -> XServe -> Mini -> XServe -> router), although that might not do what you want since it still places load and dependencies on the XServe.

Open DNS

My very much up-to-date Safari has been exceptionally neurotic. The day begins at lightning speed, then slows down, then, from time to time, Safari simply knocks out my internet connection.
I've seen others here suggesting one could add 208.67.222.222 and 208.67.220.220 in their DNS menu. I haven't done it yet, simply when I click "+" to do so, my current numbers disappear. I was hoping the two series of numbers above could be added rather than substituted, so that if there was a problem with the two suggested numbers, I could revert back to the old ones, provided by, I assume, my internet provider Verizon.
Any thoughts on the above?

How did you add them?
If you are using a single computer: Open System Preferences/Network. Double click on your connection type, or select it in the drop-down menu, and in the box marked 'DNS Servers' add the following two numbers:
208.67.222.222
208.67.220.220
(You can also enter them if you click on Advanced and then DNS)
Sometimes reversing the order of the DNS numbers can be beneficial in cases where there is a long delay before web pages start to load, and then suddenly load at normal speed:
http://support.apple.com/kb/TS2296
If your computer is part of a network: please refer to this page: http://www.opendns.com/start/bestpractices/#yournetwork and follow the advice given.
(An explanation of why using Open DNS is both safe and a good idea can be read here: http://www.labnol.org/internet/tools/opendsn-what-is-opendns-why-required-2/2587 /
Open DNS also provides an anti-phishing feature: http://www.opendns.com/solutions/homenetwork/anti-phishing/ )
Wikipedia also has an interesting article about Open DNS:
http://en.wikipedia.org/wiki/OpenDNS

Open DNS and internet sharing

I am seeing strange behavior, and wondering if anyone has a thought about what is going on.
I am at a hotel with fast internet service over ethernet, but, for whatever reason, DNS seems very slow if I use DHCP to connect (timeouts of 5-10 secs to get to a new site). If I switch to DHCP with fixed DNS, and use the Open DNS servers (208.67.222.222, 208.67.220.220) the latency issues go away.
The interesting thing is that I am sharing the internet connection over Airport to my wife's computer (she connecting thru DHCP). If I use a fixed DNS for MY computer, then her computer cannot connect thru internet sharing. But if I use the (slow) DHCP connection, then she can connect through mine. I have not tried setting up her computer with a fixed DNS, as she really doesn't like me to change settings on her computer
Is this a known limitation of internet sharing, or is there something I should know?
TIA

In more detail, if my ethernet (the computer that is doing the sharing), is set up with Configure: Using DHCP, and DNS Server: 208.67.222.222, 208.67.220.220 (in Network Panel for Ethernet), then the computer connecting thru Internet Sharing in Sharing Panel is not able to access some or all resources thru http (ie, pages fail to load, or do not fully load).
However, if I clear the DNS Server part in the Network Panel, thereby using the the DNS Servers supplied by the hotel, then my computer's connection to the internet is slower, with long waits (presumably due to a slow DNS server), but computers accessing the internet via Airport thru my shared connection are able to browse the internet successfully.
I suspect that when I have a fixed DNS server in my computer, that fact is not broadcast to computers using the shared connection. But I am not an expert in TCP/IP, and may well be confused about how DHCP, DNS, and Apple's Internet Sharing work together.
Thanks for any ideas you have
A

Open DNS & Airport Question

I have a wireless network (Airport Extreme and Airport Express for range in the back of my house). Have 4 Macs on the network. All have Open DNS set in System Prefs>Network>Airport>Advanced>DNS.
Should I set one or both of the Airports to Open DNS also? If so, how? I looked at Airport Utility and see no ready way to do it.
If I should add OPen DNS to Airport, can someone tell me how in an easy to follow fashion?
Thanks in advance!

No, sorry.
All my machines are individually set for Open DNS: System Prefs>Network>Airport>Advanced>DNS: 208.67.222.222; 208.67.220.220.
The machines have been set this way for a long time.
My Q: Can/Should I set my Airports (Express and Extreme) somehow for Open DNS?
My general configuration is:Cable>Modem>Airport>4 Macs.
The hardware configuration is Cable into Router (Cox), Ethernet into Extreme, broadcast to Express 5 rooms away (to serve 2 of the 4 Macs); Ch 1 all.
Perfect connection - so don't want to mess with that.
Just want to know (if I can to speed up download time) --
Would (if possible) setting the Airport settings to Open DNS help my speed? If so, how in the world would one do that - - > set the actual base station to have Open DNS settings?
Make sense? Hope so!
Thanks!
Message was edited by: pcbjr

DNS Snooping Defense

Similar Messages

Maybe you are looking for