Bug: DNS Poisoning Attack preventing PTR lookups?

Discussion in 'ESET Smart Security' started by denno, Oct 27, 2008.

Thread Status:
Not open for further replies.
  1. denno

    denno Registered Member

    Joined:
    Mar 22, 2006
    Posts:
    49
    hi all

    for example, when you lookup a domain, say wilderssecurity.com, i get:

    now performing a ptr lookup, will usually give a result, even if it's not up to date (in wilders' case, it is correct)

    However, when this "DNS poisoning attack prevention" under Personal Firewall » IDS and Avanced options is enabled, the reverse lookup will fail and it is logged in the firewall log.

    I see from searching lots mentioned about these attacks, but mainly in the firewall logs section and the debate is usually concerning if the attacks are real or not. can anyone else replicate this? good example to use is google.. the address will resolve to a few IPs.. each one has a hostname you can test a reverse lookup on. if you don't get a response (you should, as google have their stuff sorted), can you disable the above option then try one of the addresses again?

    ESS 3.0.672.0

    thanks

    issue appears as though if you set it "off" in that it logs something in the firewall log as a DNS attack, it wont permit you to perform the reverse lookup for a few minutes.. if you wait a minute or two and try again, it goes through and successfully looks up the ptr record.

    it also appears though if you do a reverse lookup on some ip that you know off memory has a ptr record, it will work immediately. a way to test this is to use an external source to find the ip. eg. dnsstuff.com and do a traceroute to some website... use one of the routers along the way that has a ptr record listed, and look up the IP directly. HOWEVER, if you do an nslookup domainname.com then do a reverse lookup on the ip immediately, it goes into lockdown mode and will throw an error in the log and won't allow the reverse lookup. again, if you give it two minutes and then hit enter for the nslookup <ip>, it goes through.

    further little test... take ae-0-11.bar1.houston1.level3.net which resolves to 4.69.137.133. in your command prompt, do a lookup on the hostname and you will see it resolve to the above address. then immediately afterward, do a lookup on 4.69.137.133 - i bet that it will say it can't find it and you'll find a message in your ESS Firewall log. now, leave the prompt open and give it two minutes... then do the nslookup on 4.69.137.133 again, and i bet it will work..

    weird!
     
    Last edited: Oct 27, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.