Possible System Compromise

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Feb 8 22:15:05 UTC 2001 

	At this stage you need to say what the domainname in question
	is.  The name and IP address of the server from which you are
	receiving complaints.  Without this anything more we say would
	be a total guess.  Without this we cannot eliminate any of
	the possibilities.

	Yes you can mark a server as bogus and it won't be queried
	for anything.

	Mark

> 	Is there any way to basically prevent this behavior
> without breaking proper operation?  We have been using bind-8
> versions for over a year and why we have suddenly began to
> receive occasional complaints is a mystery.  The actual system
> only has a hand full of accounts on it and they are all
> white-hats.  Obviously, if it is a bad delegation, there isn't
> much we can do, but I bet it is something else.  Any of the hosts
> that look to this dns will default to it if they do a local
> nslookup, but their nslookup should go directly to whatever dns
> they select such that any complaints would be about the IP
> address of that work station in particular.
> 
> 	I do not want to enter the finger-pointing game any more
> than absolutely necessary, but is there any way that a local work
> station could query our dns and cause it to do this?  We have
> only one real sea change in our population going on right now and
> it would coincide with the timing of the couple of reports we
> have received.
> 
> Martin McCormick
> Mark.Andrews at nominum.com writes:
> >	The problem was that you were querying that server and they
> >	wern't expecting you too.  The IP address was being rejected
> >	not the port.
> >
> >Feb  7 00:34:54 athena named[2658]: denied query from [ouraddress].42061
> >for "anothersystem"    
> >
> >	Now you need to work out why your server queried there server.
> >	The usual cause is a bad delegation.   However it could also
> >	be someone running dig/nslookup on your machine.
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list