9.1 - Security Problem?

Mark mark at spectek.co.nz
Tue Apr 3 20:40:33 UTC 2001 

Sorry if this got posted twice.

I am using bind 9.1.1rc4 on both master and slave name servers on our
network and noticed the following being logged and could not find any info
on what the causes were, if it was someone trying to attack the servers or
their machine issuing wrong requests, any help would be appreciated:

log (IP addresses changed to protect the innocent :-)

queries: info: client 210.x.x.x #50693: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x #50694: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50695: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query:
_kerberos._udp.dns.psinz.co.nz IN SOA
security: error: client 210.x.x.x #50826: update denied
queries: info: client 210.x.x.x #50696: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x#50697: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x#50698: query: 1082331758610-2 IN TKEY
security: error: client 210.x.x.x #50829: update denied
queries: info: client 210.x.x.x #50699: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x #50700: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50701: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query: _kpasswd._udp.dns.psinz.co.nz
IN SOA
security: error: client 210.x.x.x #50832: update denied
queries: info: client 210.x.x.x #50702: query: 1082331758610-3 IN TKEY
queries: info: client 210.x.x.x  #50703: query: 1082331758610-2 IN TKEY
queries: info: client 210.x.x.x #50704: query: 1082331758610-2 IN TKEY
queries: info: client 202.x.x.x #65105: query:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dns.psinz.co.nz IN
SOA
security: error: client 210.x.x.x #50835: update denied

and so on and in the sys log
Mar 30 09:47:44 jordan named[125]: client 210.x.x.x#50295: update denied
Mar 30 10:16:05 jordan named[125]: client 210.x.x.x#50317: update denied
Mar 30 10:16:22 jordan named[125]: client 210.x.x. #50320: update denied
Mar 30 10:16:39 jordan named[125]: client 210.x.x.xx#50323: update denied

This went on for over 30 hours straight and I eventually filtered out the ip
address range at the external router. I ran nmap on the ip address and of
the four ports open, this person was running pcanywhere host and remote. It
seems to me that there were 2 ip addresses involved.

Am I being paranoid for no reason?

Mark

More information about the bind-users mailing list