denied update from [an IP I don't know] for "my domain"

[Joe Kattner]

The request that is denied is coming from 138.89.40.249, so there is =
nothing
you can do about it. You've written the IP Admin, so aside from =
blocking or
ignoring it, there's not much left for you to do. The requests are =
denied,
so aside from the logs, it's not uncommon for DNS administrators to get =
them
on a regular basis, and usually not cause for a concern. There is =
nothing in
your configuration that will explain this, nor is the similarity of =
other
domain names you host of any relevance to this problem.

Someone posted that it is a Windows 2k machine, based on a frequent =
number
of retries, it probably is, but remember that may or may not be true =
though.
The source of a dynamic update can be a number of things, Windows, =
nsupdate,
a DHCP server, or something else. You can't conclusively say what it is
coming from with that message alone. It's on by default on Windows 2k, =
so
that is a likely candidate in this case, but it's not the only one. =
Perhaps
someone really is trying to manipulate the data in aades.com.

You'll also probably want to turn off recursive queries from unknown =
clients
on both you're name servers ( ns.makingofweb.com and ns.sioc.org). =
Anyone on
the internet can use you're name servers for resolution. Again, it's =
likely
a Windows 2k trying to update itself, but with an 'open-door' policy =
like
that, it's possible you've attracted someone looking around to see what =
they
get away with on your servers.

Is aades.com a client of yours? Perhaps they set up their home machine =
to
use aades.com, and you can just ask them if they are using 2k and are =
on
138.89.40.249? If you choose to block the IP, you may find out the hard =
way
if they are a client.

--Joe



-----Original Message-----
From: R=E9gis [mailto:regis at grison.org]
Sent: Wednesday, February 20, 2002 3:31 PM
To: comp-protocols-dns-bind at moderators.isc.org
Subject: denied update from [an IP I don't know] for "my domain"



Hello,

I looked in the archive and found the same error message but in a =
different
context, so I hope someone could help me. Please excuse me for my=20
english, it is not
my native language.

Here is the message number (it is the real one, I didn't change =
anything) :
Feb 20 20:40:46 mensmagna named[14052]: denied update from=20
[138.89.40.249].3971 for "aades.com" IN

Here is my config :
Linux Debian woody
named 8.3.0-REL-NOESW Thu Jan 17 11:40:46 MST 2002
it runs chrooted
I have a lot of domains but lesgarsdvierzon.net, rsdvierzon.net and
aades.com may be relevant because they share the same IP =
(212.157.81.25)
my nameserver is master, the slave is the one of a friend, I looked at =
both
config file without seeing anything
I don't know if it is a good idea to publish their name and IP here but =

you can
have them using the whois on any of the above domain name if you want =
them

My problem and what I've done :
I receive this error message very often and everytime from the same IP.
An host command on this IP shows :
Name: pool-138-89-40-249.mad.east.verizon.net

I think it is interessant to see that the domain verizon.net is quite=20
similar to
lesgarsdvierzon.net or rsdvierzon.net that have the same IP than =
aades.com

I looked at my config files but I saw nothing special, I looked at the=20
config files
of the secondary dns (which is a slave of mine), I looked on google and =

isc.org
But I didn't find anything

I wrote to the admin (found the address using whois) but I had no =
response
(about 2 weeks now).

My questions :
Which side does the error come from ?
Is it an error that I must correct ?
Is it something the verizon.net admin made incorrectly ?
Is is something important or not ?
What should I do ?

Thank you for any hint or any link to a document or relevant mail =
archive.

Regis.