Who is 2.16.4.xxx

So I got a question from a customer. Their firewall team detected that clients tried to connect to 2.16.4.xxx (I replaced the last octet with x’s to protect the innocent).
So who is 2.16.4.xxx, lets start with a simple reverse dns query

So now we know that we are talking about Akamai, well that doesn’t really help since it is the or one of the biggest CDN’s in the world.

  1. So I asked the firewall team for information what was sent and they couldn’t help me.
  2. So we need to figure out which name is pointing to the IP. And I didn’t have access to the clients to check either. If I had access to a client I could have run “ipconfig /displaydns” this would have given me the same kind of information as I got from the cache.
  3. But wait I do have access to the DNS servers. Lets check in the DNS Cache.

Exploring the Windows DNS Server cache

Lets dump the entire cache to a file so we can work with it.

Now we have a good file to look through. Lets start looking for A record is pointing to 2.16.4.xxx. I found another akamai name, so I needed to see what CNAME was pointing to that name and so it went a two times.. But in the end we found it. Below is the interesting parts of the dump I did.

So in the end the client tried to reach crl.microsoft.com. This is a standard case why locking down your firewalls by IPs can be a time consuming endeavour.

Enable scavenging on all dns zones using Powershell

So I needed to enable scavenging on all reverse zones for a customer. All forward and most reverse zones were done but not all. Since this was a Windows Server 2012R2 server I knew, that every cmdlet I might need was available.

But what if I have enabled scavaging but want to update which servers will scavenge?

And now all my zones have scavenge enabled and the correct DNS server specified.

I tried to create a reverse zone and all I got was this error message

So you read my earlier blog entry about creating reverse zones, and tried to create a the 0, 127 or 255 zone. If you tired to create one of those zones on a Windows DNS server you should get the following error message “The zone cannot be created. The zone already exists.”
The zone already exists

So whats up I don’t the see the zone but its there? Microsoft has made sure that all DNS servers will create those zones in the background unless a registry change is made. To be able to see these zones you need to enable their display. [Read more…]

Don’t talk to the prisoner

I know that it sounds like a bad line from a movie, but it is really a valid point in computing too. So which prisoner am I speaking of? Lets see if you can guess, so your options are:

  • The Beagle Boys, you know from Donald Duck.
  • prisoner.iana.org, one of the servers that blackholes bad DNS queries.
  • Al Capone, the famous gangster.
  • Aung San Suu Kyi, political prisoner of Burma.

Well even if I think most of these prisoners are interesting today my plan is to write about prisoner.iana.org.

Why and how we can avoid it. [Read more…]

How to demote a Domain Controller

So you might have a system hardcoded to talk with that domain controller. Now you need to find which servers are talking to the domain controller.

  1. Disable dynamic DNS
  2. So now clean up the DNS of that domain controller so no more clients will talk to the server by DNS queries.
  3. Wait a couple of days.
  4. Then use Network monitor to check if any and which clients are still talking to the server.
  5. For DNS you can use my script from the blog post about DNS logging.
  6. Continue to remove systems that are still using the Domain Controller.
  7. When you give up or is done. You can now remove the domain controller.
  8. Depending on which Windows version you have you have the option of dcpromo or the Server Manager.

How to Prevent Domain Controllers from Dynamically Registering DNS Names

Update: Since I wrote this Pierre Audonnet has written about this too given the following suggestions.

Easy handling before removing DNS

Prior to changing the IP or demoting a DNS server it is best to repoint all clients pointing to this DNS server to other DNS server. To assist in this I have written the following script. It requires the DNS service to have debug logging enabled. By running the script and pointing to the debug file, you will get an easy to handle array. Unless you specify a filename for the debuglog it will be in the file %SystemRoot%\system32\dns\dns.log

Download the script from the Microsoft social scripting archive.

[Read more…]