unauthorized update attempts

Jorey Bump acorns at joreybump.com
Sat Feb 2 04:42:24 UTC 2002 

Danny Mayer wrote:

> At 07:27 PM 2/1/02, acorns wrote:
> 
> 
>>I'm using bind-9.1.3-4, which defaults to disallow dynamic updates, so I
>>realize I'm safe. Here is what is appearing in my log:
>>
>>Jan 30 01:52:10 ns3 named[13195]: dynamic update failed: 'RRset exists
>>(value dependent)' prerequisite not satisfied (NXRRSET)
>>Jan 30 01:52:10 ns3 named[13195]: client 210.0.186.86#65078: update denied
>>
>>I've set up ipchains to deny this entire C class, as I have received
>>other update attempts from this IP range in the past. It's not one of my
>>own hosts (the IP seems to be somewhere in Asia), which makes me wonder
>>what these attempts are trying to accomplish.  On my old server (running
>>bind 8) the error messages were more verbose, so I could see which
>>domain was targeted. We regularly bounce mail for unknown users at this
>>domain, which suggests that someone might be trying to use it.
>>
>>Should I assume this is a hijack attempt, or a misconfigured name
>>server? Can anyone recommend any additional precautions?
>>
> 
> Yes, contact Bill Gates and tell him to stop doing that! W2K tries to do this
> by default.


I caught that in previous threads, but in those cases the W2K machines 
were on the same network, in the same domain. Why would a computer 
outside of my domain try to update my zone, unless it was a hijack 
attempt or a typo? It seems unlikely that this W2K bug would randomly 
target my domain.

It does match the W2K pattern somewhat, however. There were only about 
five attempts, then it stopped.

A few months ago, attempts to update the same domain came every five 
minutes, and were still coming weeks later, when I flushed ipchains for 
a moment. That was a different IP, so they may still be trying for all I 
know. Here are the log entries (bind 8 at the time):

Oct 19 03:36:28 ns1 named[31385]: denied update from 
[202.122.211.222].1056 for "MYDOMAIN.COM"
Oct 19 03:41:28 ns1 named[31385]: denied update from 
[202.122.211.222].1033 for "MYDOMAIN.COM"

These came in December from the same network that I mentioned in my 
original post:

Dec 10 11:57:20 ns1 named[16351]: denied update from [210.0.186.89].3170 
for "MYDOMAIN.COM"
Dec 10 11:57:22 ns1 named[16351]: denied update from [210.0.186.89].1561 
for "MYDOMAIN.COM"

I checked the whois at ARIN, and both networks are controlled by 
companies in Hong Kong. I don't if I should try to contact someone, or 
if it's even worth the bother. Bill pretended not to know anything about 
it. ;)

More information about the bind-users mailing list