View previous topic :: View next topic |
Author |
Message |
manning Just Arrived
Joined: 07 Aug 2006 Posts: 1 Location: Northern Ohio USA
|
Posted: Thu Aug 26, 2010 5:50 pm Post subject: Rogue DNS interferes with VPN access |
|
|
Hello,
I brought up this issue a while ago when I first discovered what was going on. Basically here are the details:
- we have a private domain with a given domain name.
- somebody else has that name registered in the public space and has it parked.
- They also have the DNS set up with a wildcard entry.
So what happens is when one of my users is outside the network and attempts to connect to our private network via VPN (Windows), the DNS server interferes with the connection to a degree. I have edited the HOSTS file on my users computers to help mitigate this (server names only resolve to static internal IPs), but it still bothers me that something bad might happen.
What I see as my options are:
- Change my internal domain name. This sound like a PITA, and I have had the name in place for 13 years without a problem til now
- Attempt to buy the public domain name. Not likely. The name is registered to somebody who is squatting on it and wants a fortune for it.
- Just deal with it.
Any opinions or suggestions? Can I report them to somebody? The name is registered in Russia.
Last edited by manning on Thu Aug 26, 2010 8:05 pm; edited 1 time in total |
|
Back to top |
|
|
operat0r2 Just Arrived
Joined: 26 Apr 2010 Posts: 0
|
Posted: Thu Aug 26, 2010 6:42 pm Post subject: |
|
|
you can push hosts file to clients that would be easy hack.. altern you can run your own DNS server
|
|
Back to top |
|
|
manning Just Arrived
Joined: 07 Aug 2006 Posts: 1 Location: Northern Ohio USA
|
Posted: Thu Aug 26, 2010 7:46 pm Post subject: |
|
|
Hello,
Thanks for the reply.
Yes, I have already edited the HOSTS file on hte users computers. That helps in that it limits resolution of my internal servers names to my internal name server.
Not sure what you mean though about running my own DNS server. I have DNS servers to resolve names on my private AD network and they should only resolve the domain name to the internal IP. This is the case when users are behind the firewall, but when they are outside our network and VPN in the 'rogue' DNS server seems to be able to intercept requests. Obviously those resources that are in the HOSTS file resolve correctly, but I have this bad feeling that the rogue DNS may be able to do something bad. Is there something I can do with the HOSTS to tell the computers to never ever respond to anything from the public IP of the rogue DNS server?
If I nslookup my private domain on the public net it resolves to a 209.50.243.xx IP. If I then tracert that IP it ends at a server named mauri.spb.ru. Can I do something on the local machines that blocks that name and/or IP from interfering with my desired names resolution? IPsec policy?
EDIT I think this helped:
ipseccmd -f 209.50.243.18/255.255.255.255=*
except that it wasn't persistent, so I tried this syntax to make it static, or persistent:
ipseccmd -w REG -p "Block Ru Rogue" -r "Block Rogue DNS" -f 209.50.243.18/255.255.255.255=* -n BLOCK -x
I think it is working, does it look correct? At least now when I restart the computer and run netdiag /test:ipsec I see the rule still listed. Also I don't see the foreign address 209.50.243.18 listed anymore if I run netstat -n
I also added the name of the rogue DNS server to the HOST file with the localhost IP to see if that helps.
Thanks
|
|
Back to top |
|
|
krugger SF Mod
Joined: 08 Jun 2006 Posts: 16777209
|
Posted: Fri Aug 27, 2010 6:21 pm Post subject: |
|
|
If they change DNS you will have a problem. If they start using the domain it might get cached in other public DNS servers and you will have the problem again. And you can expect them to have valid certificates for a domain your are operating, which might be a problem.MX records can get mixed up and so on.
I would start planing changing the name you use.
|
|
Back to top |
|
|
manning Just Arrived
Joined: 07 Aug 2006 Posts: 1 Location: Northern Ohio USA
|
Posted: Fri Aug 27, 2010 7:49 pm Post subject: |
|
|
krugger wrote: |
If they change DNS you will have a problem. If they start using the domain it might get cached in other public DNS servers and you will have the problem again. And you can expect them to have valid certificates for a domain your are operating, which might be a problem.MX records can get mixed up and so on.
I would start planing changing the name you use. |
The common domain name we have in common is only my internal and their public which they have parked. My public FQDN and MX are something different.
So for example my private and their public could be for demo purposes:
joesgarage.com
and my public, MX etc. could be:
bigjoesgarage.com
From inside my private network the common domain name only resolves to my internal DNS servers. Outside of our firewall it resolves to theirs. Hopefully that makes a difference???
I made an offer for the domain name in question again through NS, and they countered with $3000.00 US. Not doing that.
|
|
Back to top |
|
|
Sgt_B Trusted SF Member
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
|
Posted: Fri Sep 03, 2010 7:01 pm Post subject: |
|
|
Just to enforce what krugger suggested, you may want to consider changing your internal domain name. This very reason is why its important to use a DNS suffix that isn't a TLD for internal domains. (List Here)
Right now you're experiencing some availability issues, but depending on how the rightful owner of that domain chooses to use that name, you could experience more interesting issues.
PS - You're the rogue DNS...not them.
|
|
Back to top |
|
|
manning Just Arrived
Joined: 07 Aug 2006 Posts: 1 Location: Northern Ohio USA
|
Posted: Fri Sep 03, 2010 8:59 pm Post subject: |
|
|
Ugh, that's what I wanted to avoid. I didn't set up this domain, the old systems admin did, and I don't think a dozen years ago or so he really put a second worth of thought into whether we would run into something like this.
So if I should not use some domain name .com, what should I use for my private net? Or are you saying don't use a TLD that I don't own, whether it uses .com or not.
As far as me being the rogue, you mean only when I try to do anything outside my private net with this name, correct? Since the domain name in question, in my use is internal and uses 'private' IPs, it doesn't exactly interfere by its nature with any registered public instance of the name, correct?
|
|
Back to top |
|
|
Sgt_B Trusted SF Member
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
|
Posted: Fri Sep 03, 2010 9:27 pm Post subject: |
|
|
manning wrote: |
As far as me being the rogue, you mean only when I try to do anything outside my private net with this name, correct? Since the domain name in question, in my use is internal and uses 'private' IPs, it doesn't exactly interfere by its nature with any registered public instance of the name, correct? |
Exactly. You're not hurting anyone else on the interwebs so its not a big deal.
Just pick a domain suffix that is not on the TLD list. A lot of people just use yourdomain.local, but it can really be anything you want. You could technically use yourdomain.snuffleupagus but that would be odd...or totally awesome.
|
|
Back to top |
|
|
manning Just Arrived
Joined: 07 Aug 2006 Posts: 1 Location: Northern Ohio USA
|
Posted: Fri Sep 03, 2010 9:46 pm Post subject: |
|
|
Great, thanks for the info.
Now to wring my hands over the name change for a bit.
|
|
Back to top |
|
|
|