Is someone trying to hack my dns and illegally transfer me records?
@quasar Internet Solutions, Inc.
shore at quasar.net
Wed Dec 19 21:06:38 UTC 2001
To elaborate a little more for Paul...
If you don't want unauthorized zone transfers then your server appears to
have already done what you wanted it to ;)
There are a lot of things that could cause these requests to
happen...anything from a misconfigured server somewhere, to someone's
typo, or even the use of available network tools designed to find out
about the makeup of someone's network.
You didn't mention whether the hundreds were over the course of days or
minutes but they are of a fairly minimal impact as far as most
systems/networks go. If you start getting 100,000 of them a minute then
you might want to worry about what they are doing.
I'm not sure whether you meant 'illegal' as in 'illegal operation' or
'illegal' as in 'against the law.' All it appears they are doing is
requesting information, essentially, and your server is saying no.
Once someone did a zone transfer on a friend's network and publicly
posted it on a website to be scoffed at. I don't think they found any
grounds to pursue that legally. That would be a matter requiring local
legal advice.
Now if they start to attempt to transfer a zone 'to' you which is
unauthorized then they are more likely to be attempting to do something to
your system, or again it could be a misconfiguration. And then you will
make that judgement call.
Sometimes you'll even recognize an IP of one of your own users and realize
they have done something wrong in their own system and you might actually
be able to help them out ;)
Personally I like keeping things like that in my logs so I can see what's
going on, but that's a personal call.
Dena Whitebirch
@quasar Internet Solutions
http://quasar.net/
On Wed, 19 Dec 2001, Paul wrote:
>
>
> Hi.
>
> I have noticed that in my logs it shows the message;
>
> named[741]: client 128.177.195.11#60877: zone transfer denied
>
> Hundreds of times. The address is not one of our secondaries and I do not
> recognize the above address. Why do I have this message? Could someone be
> trying to do an unauthorized transfer of our domain's? What do I do about
> this?
>
> Paul
>
More information about the bind-users
mailing list