In brief:
need a checkpoint firewall 4.1 or higher. set up a preshared key.
install client on winXP machine -w- preshared key.
boot XP box not in target network, but from a remote network connected
to the Internet via TCP/IP.
Once connectivity to the Internet is established do a dns lookup of
something you know will resolve, like www.google.com.
lookup something within the target network that won't resolve - force a
failed dns lookup.
establish a VPN into the checkpoint firewall.
verify the VPN is working by pinging something in the target network
that is known to reply to pings, like a DC.
run a nslookup from previous step of FQDN inside target network.
enter known values for target FQDN into hosts file.
try lookup again.
Failed for us consistantly.
I'd be interested in knowing if other have had this problem. We ended
up pushing a script that ran at VPN setup time that flushed the DNS
cache. We also pushed a hosts file with the needed FQDNs, since both
were needed to net nslookups to work right. Also of interest is that
nslookup didn't use the windows dns services to send dns requests, but
used its own, and so behaved differently than expolorer or ping. It did
use the hosts file first, while the windows OS dns services needed to
have the dns flushed to get rid of the cached failures. We observed
this by watching traffic and seeing that a windows XP box tried twice to
resolve a dns query (two requests sent) when using nslookup with a
different timeout, while the same thing from explorer tried four times
with a different timeout. Ping resulted in the same dns query traffic
as expolorer.
--- Begin Message ---
|
Subject: |
Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup |
|
Date: |
Wed, 19 Apr 2006 19:59:40 -0700 |
You got a KB or some other official reference? I just did it again after a
failed DNS looked. Lookup failed, added it in the hosts file, worked just
fine.
What exactly do you mean by "dns lookup failed?" The server is not
available, or the host isn't found on the server? I just tested both ways -
valid server with invalid host and invalid server. Ping resolution failed,
added host, resolved immediately and attempted ping, removed it and saved,
ping resolution immediately failed again; just like it is supposed to.
As I requested in my previous post, please provide us with detailed
instructions on how to recreate this issue.
t
On 4/19/06 4:43 PM, "John Biederstedt" <john@johnsdomain.org> spoketh to
all:
Actually, according to microsoft, the dns client in XP was *intended* to
check to see if a dns lookup had failed earlier before going to the
hosts file.
We did ping the internal domain controller, added the bogus FQDN, and
tried again. None of that worked, because prior to the VPN working, and
lookup of the domain controller had failed, and been cached. So,
because the failiure was checked before the hosts file, once the VPN was
up, the dns lookups didn't work.
Oh yes, the XP install was factory Dell.
--- End Message ---
