DNS DoS attack? (Zone tranfer request).
David Botham
dns at botham.net
Thu Aug 8 14:06:32 UTC 2002
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Grant Peel
> Sent: Wednesday, August 07, 2002 9:31 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: DNS DoS attack? (Zone tranfer request).
>
> I have Zone transfers set to none in my named.conf.
>
> Over the past few days, I have been getting hundreds of requests in my
> daemon and messages logs that look like:
>
> Aug 7 21:24:48 enterprise named[1426]: client 216.154.16.237#64455:
> update
> 'logistics.com/IN' denied
> Aug 7 21:24:49 enterprise named[1426]: client 216.154.16.237#64462:
> update
> 'logistics.com/IN' denied
This error indicates that a system with ip address 216.154.16.23 is
attempting to update a dynamic zone on your name server. You either
don't have dynamic zones or have an acl that denies updates for this
host.
This problem is most often caused by Window 2K and above hosts that are
set to register with their dns server (as specified in the tcp
properties dns tab).
>
> Anyone think this is a DoS attack or just sone trying really hard to
do a
> zone transfer?
This error does not indicate a zone transfer is being attempted. What
make you think a zone transfer is being attempted? Are there other log
entries that lead you to this conclusion?
>
> Also, the IP keeps changing...and the ISP has been notified.
The IP is not necessarily changing; there may be more than one host at
that ISP that is using your name servers for resolution. Do you know
anybody at work that uses that ISP at home that might be using your name
serves?
Dave...
>
> Bind 9.2.1 FreeBSD 4.4.
>
> TIA, all.
>
> --
>
> -Grant
>
> Grant W. Peel
> Server Administrator
> The Net Now -- Expresshost
> http://thenetnow.com
> grant at thenetnow.com
>
More information about the bind-users
mailing list