Fishy behaviour?

Mathias Körber mathias at staff.singnet.com.sg
Sat Jul 29 13:01:45 UTC 2000


There are two possibilities I can think of:

a) is the queries are all for one (or a few) same domains, someone may
have listed your nameserver as delegation points for those domains.
You should be able to check that by querying the NS records for those
domains. Complaining to the parent domain about the unauthorized
use of your nameservers for those domains might result in the delegation
records being removed. If the domains have the NS records configured
inside the zone(s) themselves, then you'd have to tell the owners of the
domains themselves. Depending on whether it ws a mistake or intentional
you'd get different reactions to a complaint. A last resort could be to
publish bad information for the zones, in order to alert the owners that
listing nameservers they don't really control can be counterproductive.
Whether that is an option for you you'll have to decide yourself.

b) If it's always the same sources that query your nameservers, it is =
likely
that someone has configured your nameservers as forwarders for their
nameservers (or pointed their resolvers at your nameservers). As you =
don't allow
queries from them, this will not help them in the least. Disallowing =
queries
is the best you can do administratively already. Complaints to the
owners of the nameservers (or their upstream) again might help, but then
it also might not, depending on the clue-level and intentions of the=20
owners..

HTH

Mathias=20

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Mark Drummond
> Sent: Saturday, July 29, 2000 8:25 PM
> To: bind-users at isc.org
> Subject: Fishy behaviour?
>=20
>=20
>=20
> I have a number of machines outside my network (137.94.*) querying one
> of my name
> servers for other hosts also outside my net. They come in "floods" of
> 20-50 queries in a matter of a few seconds. Is this someone being bad?
>=20
> Jul 29 00:08:51 xxx.rmc.ca named[9589]: unapproved query from
> [149.99.114.192].2576 for "www.hotmail.msn.com"
>=20




More information about the bind-users mailing list