• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Rogue DNS interferes with VPN access

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Thu Aug 26, 2010 5:50 pm    Post subject: Rogue DNS interferes with VPN access Reply with quote

Hello,

I brought up this issue a while ago when I first discovered what was going on. Basically here are the details:

- we have a private domain with a given domain name.
- somebody else has that name registered in the public space and has it parked.
- They also have the DNS set up with a wildcard entry.

So what happens is when one of my users is outside the network and attempts to connect to our private network via VPN (Windows), the DNS server interferes with the connection to a degree. I have edited the HOSTS file on my users computers to help mitigate this (server names only resolve to static internal IPs), but it still bothers me that something bad might happen.

What I see as my options are:

- Change my internal domain name. This sound like a PITA, and I have had the name in place for 13 years without a problem til now
- Attempt to buy the public domain name. Not likely. The name is registered to somebody who is squatting on it and wants a fortune for it.
- Just deal with it.

Any opinions or suggestions? Can I report them to somebody? The name is registered in Russia.


Last edited by manning on Thu Aug 26, 2010 8:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
operat0r2
Just Arrived
Just Arrived


Joined: 26 Apr 2010
Posts: 0


Offline

PostPosted: Thu Aug 26, 2010 6:42 pm    Post subject: Reply with quote

you can push hosts file to clients that would be easy hack.. altern you can run your own DNS server
Back to top
View user's profile Send private message Visit poster's website
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Thu Aug 26, 2010 7:46 pm    Post subject: Reply with quote

Hello,

Thanks for the reply.

Yes, I have already edited the HOSTS file on hte users computers. That helps in that it limits resolution of my internal servers names to my internal name server.

Not sure what you mean though about running my own DNS server. I have DNS servers to resolve names on my private AD network and they should only resolve the domain name to the internal IP. This is the case when users are behind the firewall, but when they are outside our network and VPN in the 'rogue' DNS server seems to be able to intercept requests. Obviously those resources that are in the HOSTS file resolve correctly, but I have this bad feeling that the rogue DNS may be able to do something bad. Is there something I can do with the HOSTS to tell the computers to never ever respond to anything from the public IP of the rogue DNS server?

If I nslookup my private domain on the public net it resolves to a 209.50.243.xx IP. If I then tracert that IP it ends at a server named mauri.spb.ru. Can I do something on the local machines that blocks that name and/or IP from interfering with my desired names resolution? IPsec policy?

EDIT I think this helped:

ipseccmd -f 209.50.243.18/255.255.255.255=*

except that it wasn't persistent, so I tried this syntax to make it static, or persistent:

ipseccmd -w REG -p "Block Ru Rogue" -r "Block Rogue DNS" -f 209.50.243.18/255.255.255.255=* -n BLOCK -x

I think it is working, does it look correct? At least now when I restart the computer and run netdiag /test:ipsec I see the rule still listed. Also I don't see the foreign address 209.50.243.18 listed anymore if I run netstat -n

I also added the name of the rogue DNS server to the HOST file with the localhost IP to see if that helps.

Thanks
Back to top
View user's profile Send private message
krugger
SF Mod
SF Mod


Joined: 08 Jun 2006
Posts: 16777209


Offline

PostPosted: Fri Aug 27, 2010 6:21 pm    Post subject: Reply with quote

If they change DNS you will have a problem. If they start using the domain it might get cached in other public DNS servers and you will have the problem again. And you can expect them to have valid certificates for a domain your are operating, which might be a problem.MX records can get mixed up and so on.

I would start planing changing the name you use.
Back to top
View user's profile Send private message
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Fri Aug 27, 2010 7:49 pm    Post subject: Reply with quote

krugger wrote:
If they change DNS you will have a problem. If they start using the domain it might get cached in other public DNS servers and you will have the problem again. And you can expect them to have valid certificates for a domain your are operating, which might be a problem.MX records can get mixed up and so on.

I would start planing changing the name you use.


The common domain name we have in common is only my internal and their public which they have parked. My public FQDN and MX are something different.

So for example my private and their public could be for demo purposes:

joesgarage.com

and my public, MX etc. could be:

bigjoesgarage.com

From inside my private network the common domain name only resolves to my internal DNS servers. Outside of our firewall it resolves to theirs. Hopefully that makes a difference???

I made an offer for the domain name in question again through NS, and they countered with $3000.00 US. Not doing that.
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Fri Sep 03, 2010 7:01 pm    Post subject: Reply with quote

Just to enforce what krugger suggested, you may want to consider changing your internal domain name. This very reason is why its important to use a DNS suffix that isn't a TLD for internal domains. (List Here)

Right now you're experiencing some availability issues, but depending on how the rightful owner of that domain chooses to use that name, you could experience more interesting issues.

PS - You're the rogue DNS...not them. Razz
Back to top
View user's profile Send private message Visit poster's website
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Fri Sep 03, 2010 8:59 pm    Post subject: Reply with quote

Ugh, that's what I wanted to avoid. I didn't set up this domain, the old systems admin did, and I don't think a dozen years ago or so he really put a second worth of thought into whether we would run into something like this.

So if I should not use some domain name .com, what should I use for my private net? Or are you saying don't use a TLD that I don't own, whether it uses .com or not.

As far as me being the rogue, you mean only when I try to do anything outside my private net with this name, correct? Since the domain name in question, in my use is internal and uses 'private' IPs, it doesn't exactly interfere by its nature with any registered public instance of the name, correct?
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Fri Sep 03, 2010 9:27 pm    Post subject: Reply with quote

manning wrote:
As far as me being the rogue, you mean only when I try to do anything outside my private net with this name, correct? Since the domain name in question, in my use is internal and uses 'private' IPs, it doesn't exactly interfere by its nature with any registered public instance of the name, correct?

Exactly. You're not hurting anyone else on the interwebs so its not a big deal.

Just pick a domain suffix that is not on the TLD list. A lot of people just use yourdomain.local, but it can really be anything you want. You could technically use yourdomain.snuffleupagus but that would be odd...or totally awesome.
Back to top
View user's profile Send private message Visit poster's website
manning
Just Arrived
Just Arrived


Joined: 07 Aug 2006
Posts: 1
Location: Northern Ohio USA

Offline

PostPosted: Fri Sep 03, 2010 9:46 pm    Post subject: Reply with quote

Great, thanks for the info.

Now to wring my hands over the name change for a bit.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register