Ms Dns

[5amYan]

Why would my W2K DNS server be sending out internal address?

it gives ist's internal address for dig lookups.
I know it's pretty harmless as a nonroutable address, but how do I make it stop?
I'm pretty sure zone transfers are off

[MrLinus]

Perhaps because you have it live on the internet without a firewall? Perhaps you could give a wee bit more information about the setup? Two nics? firewall on host? Why do you even have the DNS service enabled?

[DeadCr0w]

Im not 100% sure about this one but disabling "zone transfer" in the dns option might do the trick!

[souleman]

DNS servers are supposed to send out information. That is what they do. Not sure why you have a DNS server for your internal network anyway. Please explain.

[CrittendenIV]

DNS is chatty. Until I configured my IDS to not alert me about it, I was seeing tons of false positives. I wouldnt worry about it.

[DeadCr0w]

Originally posted here by souleman
DNS servers are supposed to send out information. That is what they do. Not sure why you have a DNS server for your internal network anyway. Please explain.

If you want to install active directory, you have no choice but to install a DNS server.

taken form sans.org

Zone Transfers

Zone transfers pose a significant risk for organizations running DNS. While there are legitimate and necessary reasons for why zone transfers occur, an attacker may attempt a zone transfer request from any domain name server on the Internet. The reason attackers do this is to gather intimate details of an organization’s network, and use this information for further reconnaissance or as a launch pad for an attack. For instance, suppose the name server for the army.mil domain returned DNS entries for machines on the internal network named "intel", "bases", or "troops". Armed with this information, an attacker now has the addresses and names of potential targets [5]. Using this information, the attacker could then attempt to use automated attack scripts to exploit vulnerabilities in various UNIX services [6].

For example, assume an attacker was able to obtain the IP addresses and host names of machines in the victim’s DMZ (Demilitarized Zone) via a zone transfer. The attacker could then telnet to port 25 on a mail server if the external router was not configured to prevent unauthorized Telnet connections. If the line referencing the version number of Sendmail was not commented out or falsified in /etc/mail/sendmail.conf, the attacker would know what version of Sendmail the mail server is running. They could then lookup Sendmail exploits for that version on one of many "black-hat" websites.

The attacker’s job is simplified by the existence of legitimate websites that host DNS tools. One such site is http://samspade.org. The SamSpade.org site provides automated, web-based services such as DNS queries, reverse DNS queries, and Who Is lookups.

I think your problem is there!

[wab73]

Originally posted here by 5amYan
Why would my W2K DNS server be sending out internal address?

it gives ist's internal address for dig lookups.
I know it's pretty harmless as a nonroutable address, but how do I make it stop?
I'm pretty sure zone transfers are off

I can think of a few reasons ..

most likely
1) you configured your networkcards to use the ip's of the dns ( on the DNS machine itself.
so it announces itself to itself for each card)
Do not specify dns on the local network card(s) on the dns machine

2) you're using a NT4 wins server in your network (2k has no wins!)
and wins replicates the local adresses with dns.

[iNViCTuS]

Originally posted here by souleman
DNS servers are supposed to send out information. That is what they do. Not sure why you have a DNS server for your internal network anyway. Please explain.

Using DNS on a private network can be very helpful, especially if the private network is large. It is often much easier to remember FQDN's than it is te remember specific IP's (hence the point of DNS). If it is useful on the Internet, why wouldn't it be helpful on a private net.

Is your DNS configured as a master or a slave or just caching? If you don't want this info leaked to the outside, disable zone transfers and you should be OK...