Lame server
Jim Reid
jim at rfc1035.com
Mon Apr 16 09:09:16 UTC 2001
>>>>> "numpty" == numpty <sa2500 at eclipse.co.uk> writes:
numpty> I have seen these errors occasionaly in my logs but on
numpty> advice from several sources ignored them. However
numpty> yesterday I was scanning through my firewall, snort and
numpty> message logs and saw a failed attempt to log in via ftp
numpty> with user root followed by a few seconds later 4 lame
numpty> server errors from the same same IP as the attempted root
numpty> login. The same IP had also port scanned me a few minutes
numpty> previously. So is there a BIND exploit that would
numpty> generate these errors in the logs?
No. Lame delegation reports are caused by other people's incorrectly
configured name servers. Those servers are supposed to be
authoritative for some zone but aren't. This happens all the time: the
amount of DNS clue in the world appears to be finite. Port scanning or
probing for security weaknesses have nothing to do with lame
delegations. All you can infer from what you've seen is that the
script kiddie who has been poking about your network doesn't have
their DNS set up correctly. This should not be a surprise.
More information about the bind-users
mailing list