Cache pollution was my initial reaction. I have the cache secured against pollution and have followed Microsoft's best practices in order to attenuate that problem... (for what that's worth... <koff!>)
having recursion available to Internet means is pollutable by direct queries from Internet.
We do have recursion enabled, but the AD/DNS box is not directly accessible via the internet.
having your recursive DNS not accessible from internet, but used by your mail (http,etc) server is still an indirect vulnerability, much more difficult to defend against.
The attacker sends a msg to your MX that requires your mail server to make a DNS query to its recursive DNS. That query goes to the attacker's authoritative DNS which passes out bad data in the ADDITIONAL section.
If you suspect cache poisoning for domain name, a quick check:
send a non-recursive query to the suspect DNS for the domain name.
send a non-recursive query to the auth DNS for the same domain name.
If the suspect DNS's answer is different from the auth DNS answer, the suspect DNS poisoned.
Len
_____________________________________________________________________ http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
