Wilders Security Forums  

Go Back   Wilders Security Forums > Official ESET Support Forum > ESET Home Users Products Forum > ESET Smart Security
Reload this Page Bug: DNS Poisoning Attack preventing PTR lookups?
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old October 27th, 2008, 05:55 AM
denno denno is offline
Infrequent Poster
  
Join Date: Mar 2006
Posts: 49
Default Bug: DNS Poisoning Attack preventing PTR lookups?
hi all

for example, when you lookup a domain, say wilderssecurity.com, i get:

Quote:
nslookup wilderssecurity.com
Non-authoritative answer:
Name: wilderssecurity.com
Address: 65.175.38.194

now performing a ptr lookup, will usually give a result, even if it's not up to date (in wilders' case, it is correct)

Quote:
nslookup 65.175.38.194
Name: wilderssecurity.com
Address: 65.175.38.194

However, when this "DNS poisoning attack prevention" under Personal Firewall » IDS and Avanced options is enabled, the reverse lookup will fail and it is logged in the firewall log.

I see from searching lots mentioned about these attacks, but mainly in the firewall logs section and the debate is usually concerning if the attacks are real or not. can anyone else replicate this? good example to use is google.. the address will resolve to a few IPs.. each one has a hostname you can test a reverse lookup on. if you don't get a response (you should, as google have their stuff sorted), can you disable the above option then try one of the addresses again?

ESS 3.0.672.0

thanks

issue appears as though if you set it "off" in that it logs something in the firewall log as a DNS attack, it wont permit you to perform the reverse lookup for a few minutes.. if you wait a minute or two and try again, it goes through and successfully looks up the ptr record.

it also appears though if you do a reverse lookup on some ip that you know off memory has a ptr record, it will work immediately. a way to test this is to use an external source to find the ip. eg. dnsstuff.com and do a traceroute to some website... use one of the routers along the way that has a ptr record listed, and look up the IP directly. HOWEVER, if you do an nslookup domainname.com then do a reverse lookup on the ip immediately, it goes into lockdown mode and will throw an error in the log and won't allow the reverse lookup. again, if you give it two minutes and then hit enter for the nslookup <ip>, it goes through.

further little test... take ae-0-11.bar1.houston1.level3.net which resolves to 4.69.137.133. in your command prompt, do a lookup on the hostname and you will see it resolve to the above address. then immediately afterward, do a lookup on 4.69.137.133 - i bet that it will say it can't find it and you'll find a message in your ESS Firewall log. now, leave the prompt open and give it two minutes... then do the nslookup on 4.69.137.133 again, and i bet it will work..

weird!
Last edited by denno : October 27th, 2008 at 06:21 AM.
 

Wilders Security Forums > Official ESET Support Forum > ESET Home Users Products Forum > ESET Smart Security « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 11:01 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums