Confusing Log message

Michael Barber mikeb at comcity.com
Fri May 7 18:35:24 UTC 2004 

An LDAP Query?  Why is Bind responding to an LDAP Query...I thought that was
what LDAP servers were for?  I'm obviously confused but this looks like a
security problem and a hacker is trying to exploit something.  The Hacker
obviously knows something I don't...that he can get my bind server to
respond to LDAP queries if he tries hard enough....

In article <c7ghua$1q3s$1 at sf1.isc.org>,
 "Michael Barber" <mikeb at comcity.com> wrote:

> It didn't this time...  The hacker needs to work harder at it I guess...
>
> The point is why is it even "entertaining" the prospects of these type of
> queries.  Can I "turn-off" even the prospect of this type of query?

What "type of query" are you talking about?  All queries are pretty much
the same as far as the server is concerned.  It's all just arbitrary
data (except that NS and CNAME records need to be recognized and
followed when performing recursive queries).

What more do you expect it to do other than reject the query because the
client isn't in the access list?  A server can't prevent a client from
sending a query in the first place.

>
>
> In article <c7ej0n$2l61$1 at sf1.isc.org>,
>
> > I don't understand why Bind is allowing this...is there a setting to
stop
> > this?  What your describing won't work...because obviously means this
> person
> > is a hacker.
>
> Allowing what?  Don't you see where it says "denied query"?  That means
> it *didn't* allow it, presumably because the client isn't in your
> allow-query access list.
>
> > In article <c7bkjt$1f3f$1 at sf1.isc.org>,
> >
> > > Can someone tell me what the meaning of this log message is:
> > >
> > > denied query from [204.127.202.36].53 for "_ldap._tcp.
> > > Default-First-Site-Name._sites.dc._msdcs.wvms.com" SRV/IN
> > >
> > > What does this mean:
Default-First-Site-Name._sites.dc._msdcs.wvms.com"
> > > SRV/IN  ?  Should someone be jerking my name server around like this?
> >
> > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.wmvms.com is the
> > name of a record that the device with IP address 204.127.202.36 was
> > trying to look up, and it was trying to look up a record with type SRV.
> > These are used by Microsoft Active Directory services as ways to find
> > servers -- in this case, I presume it's trying to find an LDAP server on
> > your network.  The component "Default-First-Site-Name" suggests that the
> > machine is not properly configured with your site's Windows domain.
> >
> > --
> > Barry Margolin, barmar at alum.mit.edu
> > Arlington, MA
> > *** PLEASE post questions in newsgroups, not directly to me ***
>
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***

--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list