strange logs
Ronan Flood
ronan at noc.ulcc.ac.uk
Sat Jun 26 18:50:35 UTC 2004
"Michael Sharp" <ms at probsd.org> wrote:
> I've noticed this the past few weeks in /var/log/messages:
>
> Jun 24 15:45:06 darken named[232]: client 66.98.244.52#1039: zone transfer
> 'coastal-law.org/IN' denied
> Jun 24 15:47:10 darken named[232]: client 66.98.244.52#1039: zone transfer
> 'cherrypointyoungmarines.org/IN' denied
> Jun 24 16:45:06 darken named[232]: client 66.98.244.52#1039: zone transfer
> 'coastal-law.org/IN' denied
> Jun 24 16:47:10 darken named[232]: client 66.98.244.52#1039: zone transfer
> 'cherrypointyoungmarines.org/IN' denied
>
> I run DNS for those two domains plus probsd.org. The client resolves to a
> EV1.net machine.
Your domains list dns.secondary.org (66.98.244.118) as a nameserver;
as this is quite close to the address logged, possibly secondary.org
have changed their config. Maybe you should ask them.
> But my question is, what is that host looking for? And why consistently
> every 3 hrs for the past few weeks?
It's trying to copy your zones, presumably because it's set up to
be a slave server for them. Three hours (10800 seconds) is the
refresh time in your SOA record.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list