9.1 - Security Problem?

Kevin Darcy kcd at daimlerchrysler.com
Wed Apr 4 00:58:59 UTC 2001 

Looks like yet another deluded Win2K box thinking that your nameserver is its
"Mum". I wouldn't necessarily suspect a break-in attempt. I get tons of these
kinds of update attempts every day.

You should probably be running the final release of 9.1.1, however, for reasons
other than security...


- Kevin

Mark wrote:

> Sorry if this got posted twice.
>
> I am using bind 9.1.1rc4 on both master and slave name servers on our
> network and noticed the following being logged and could not find any info
> on what the causes were, if it was someone trying to attack the servers or
> their machine issuing wrong requests, any help would be appreciated:
>
> log (IP addresses changed to protect the innocent :-)
>
> queries: info: client 210.x.x.x #50693: query: 1082331758610-3 IN TKEY
> queries: info: client 210.x.x.x #50694: query: 1082331758610-2 IN TKEY
> queries: info: client 210.x.x.x #50695: query: 1082331758610-2 IN TKEY
> queries: info: client 202.x.x.x #65105: query:
> _kerberos._udp.dns.psinz.co.nz IN SOA
> security: error: client 210.x.x.x #50826: update denied
> queries: info: client 210.x.x.x #50696: query: 1082331758610-3 IN TKEY
> queries: info: client 210.x.x.x#50697: query: 1082331758610-2 IN TKEY
> queries: info: client 210.x.x.x#50698: query: 1082331758610-2 IN TKEY
> security: error: client 210.x.x.x #50829: update denied
> queries: info: client 210.x.x.x #50699: query: 1082331758610-3 IN TKEY
> queries: info: client 210.x.x.x #50700: query: 1082331758610-2 IN TKEY
> queries: info: client 210.x.x.x #50701: query: 1082331758610-2 IN TKEY
> queries: info: client 202.x.x.x #65105: query: _kpasswd._udp.dns.psinz.co.nz
> IN SOA
> security: error: client 210.x.x.x #50832: update denied
> queries: info: client 210.x.x.x #50702: query: 1082331758610-3 IN TKEY
> queries: info: client 210.x.x.x  #50703: query: 1082331758610-2 IN TKEY
> queries: info: client 210.x.x.x #50704: query: 1082331758610-2 IN TKEY
> queries: info: client 202.x.x.x #65105: query:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dns.psinz.co.nz IN
> SOA
> security: error: client 210.x.x.x #50835: update denied
>
> and so on and in the sys log
> Mar 30 09:47:44 jordan named[125]: client 210.x.x.x#50295: update denied
> Mar 30 10:16:05 jordan named[125]: client 210.x.x.x#50317: update denied
> Mar 30 10:16:22 jordan named[125]: client 210.x.x. #50320: update denied
> Mar 30 10:16:39 jordan named[125]: client 210.x.x.xx#50323: update denied
>
> This went on for over 30 hours straight and I eventually filtered out the ip
> address range at the external router. I ran nmap on the ip address and of
> the four ports open, this person was running pcanywhere host and remote. It
> seems to me that there were 2 ip addresses involved.
>
> Am I being paranoid for no reason?
>
> Mark

More information about the bind-users mailing list