Date: Thu, 24 Aug 2000 00:57:37 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: security@freebsd.org Subject: named -- unapproved update (?) Message-ID: <200008240457.AAA03676@giganda.komkon.org>
next in thread | raw e-mail | index | archive | help
Hello! I recently started a named server on one of the computers. This server is not announced as a primary or secondary DNS server for any of domains, nor it is listed in /etc/resolv.conf of any computer (besides the computer it's running on). Immediately, I started seeing a message: Aug 21 18:18:31 <daemon.notice> MYHOST named[1480]: unapproved update from [XXX.XXX.XXX.NNN].4110 for clientdomain.com where "clientdomain.com" - is one of the local domains, and apparently the quering host is in that domain (i.e. strangehost.clientdomain.com), and is physically on the same segment of the network (XXX.XXX.XXX), and on the same internal (Ethernet) network. This message appears twice or four times at once, and each such group is spaced from each other by 1-2 to 10 minutes. Unfortunately currently I have no access to that box, and all I know that it's running Windows (2000?). I am sure it does not have MYHOST in any of the configurations. Questions: 1. What those requests mean ? 2. What are the possible reasons for them ? 3. How did [could ?] that host discover the DNS running, except for by scanning all local hosts ? Why would it do that ? I know that there exists some trojan that sends some strange queries to DNS servers, basically scanning some networks, but it is somewhat different here. Any ideas what all this could be ? Or is it just Windows 2000 strangeness ? If so, is there is any way to get rid of those annoying messages ? Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008240457.AAA03676>