stopping continuous unapproved AXFR

Jim Reid jim at rfc1035.com
Wed Jul 12 03:28:36 UTC 2000


>>>>> "Bill" == Bill Moseley <moseley at hank.org> writes:

    Bill> Every five minutes for about three days now I've been seeing
    Bill> this:

    Bill>    unapproved AXFR from [205.229.206.20].{varying ports}

    Bill> It's not one of my secondaries, not one I have listed and
    Bill> know about, anyway.

Whether it's one of your slave (secondary) servers or not doesn't
matter. The fact is this IP address is making AXFR requests and you
don't like that.

    Bill> Not that it bugs me that much, but is there much one can do
    Bill> to try to stop the requests?

Complain to the owner of that IP address or, failing that, the ISP who
owns the address block containing that IP address. You could block
these unwanted queries at your firewall, but that just stops you
seeing those AXFR requests. It doesn't stop 205.229.206.20 sending
them. Maybe blocking their queries just makes them more persistent?
And anyway, what real benefit comes from restricting zone transfers?

    Bill> I poked around 205.229.206.20
    Bill> and didn't find much (like an smtp host to mail).

A reverse lookup with dig for this address doesn't yield a hostname.
However the RNAME in the SOA record for 206.229.205.in-addr.arpa -
you'd see this if you did the reverse lookup with dig - says that
bob at shornetworks.com is responsible for this reverse zone. Try mailing
that address. Or looking up shornetworks.com in a whois server and
getting in touch with whoever's listed there for the zone's contacts.



More information about the bind-users mailing list