Getting source IP for notify? (9.2.1)

[Kevin Darcy]

Larry Rosenman wrote:

> Since the ISC mailling list subscription page is broken (I've mailed
> listmaster at isc.org a week ago), can anyone tell me how to get
> the IP of a site sending me a notify (using bind 9.2.1)?
>
> Aug 31 05:21:18 lerami in.named[7737]: received notify for zone '0-26.122.158.207.in-addr.arpa': not authoritative
> Aug 31 05:21:18 lerami in.named[7737]: received notify for zone '0-26.122.158.207.in-addr.arpa': not authoritative
> Aug 31 08:13:11 lerami in.named[7737]: received notify for zone '0-26.122.158.207.in-addr.arpa': not authoritative

I don't think there's any combination of logging options in BIND 9 that will reveal this information.

You could always set up a sniffer (hardware or software) to capture the NOTIFY packets. With a sufficiently
sophisticated sniffer and some tinkering, you should be able to limit it to NOTIFY packets (filter on the
"opcode" field in the header) for that particular zone (filter on the contents of the Question Section). If you have
no other "0-26.{something}" zones for which you're receiving legitimate NOTIFYs, you could simply filter on just the
first 5 octets of the Question Section instead of the while thing, e.g. with "snoop" on Solaris:

snoop udp to port domain and \
      'udp[10] = 0x24' and \
      'udp[20] = 0x04' and \
      'udp[21] = 0x30' and \
      'udp[22] = 0x2d' and \
      'udp[23] = 0x32' and \
      'udp[24] = 0x36'

I've never used tcpdump, but I'm sure it would be fairly easy to translate that into a set of tcpdump
parameters/filters...

- Kevin