Dynamic Update log entries?

Mark Andrews Mark_Andrews at isc.org
Mon Jun 30 22:58:11 UTC 2008 

> In my log I'm seeing various external IPs being denied update of my
> zones.
> On checking the in the ISC FAQ the message has to do with Dynamic
> Updates.  Since these are external and I'm not really sure who they are
> (reverse lookup shows nothing) I can't really implement the fix
> mentioned in the FAQ.
> 
> Reverse lookup has no information for the IPs.
> 
> Whois seems to suggest the IPs are part of BellSouth or Southwestern
> Bell (both of which are now part of AT&T).   AT&T is where we got our IP
> ranges from so I'm wondering if there would be any valid reason for them
> to be attempting Dynamic Updates to our servers?

	There is no reason to do this.

> Also on doing a test I found adding the IPs to an ACL and doing a
> blackhole on the ACL in named.conf will stop the messages.    Is there
> any downside to doing this?

	It also stops queries from these addresses.

> Is there a better way to prevent Dynamic
> Update attempts from external IPs altogether?

	There is no way to stop update attempts being sent other
	than to contact the sender.  You have enough information
	to do this.  It will most probably be a misconfiguration
	and sending the message will get it fixed.  If it is actually
	being done with hostile intent you are helping to establish
	a pattern by sending the decist message.

	You can also just ignore the messages by sending them to "null;".

> A couple of example IPs are 75.24.37.111 & 74.252.7.7.
> 
> The FAQ I mentioned is at http://www.isc.org/index.pl?/sw/bind/FAQ.php
> 
> The specific Q & Q was:
> 
> "Q: 
> I keep getting log messages like the following. Why? 
> Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied 
> A: 
> Someone is trying to update your DNS data using the RFC2136 Dynamic
> Update protocol. Windows 2000 machines have a habit of sending dynamic
> update requests to DNS servers without being specifically configured to
> do so. If the update requests are coming from a Windows 2000 machine,
> see http://support.microsoft.com/support/kb/articles/q246/8/04.asp
> <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> for
> information about how to turn them off. "
> ----------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential in
> formation and is for the sole use of the intended recipient(s). If you are no
> t the intended recipient, any disclosure, copying, distribution, or use of th
> e contents of this information is prohibited and may be unlawful. If you have
>  received this electronic transmission in error, please reply immediately to 
> the sender that you have received the message in error, and delete it. Thank 
> you.
> ----------------------------------
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list