unapproved update

Forrest Aldrich forrie at forrie.com
Thu Jun 1 19:23:09 UTC 2000 

I've seen these as well, and have been advised that they could be mostly 
due to Windows 2000 boxes (or similar), a builtin behavior.   The other 
part, of course, is a deliberate attempt to hack the bind server and inject 
fraudulent data.

But because we see so many of these (the company I work for is an Internet 
Access Provider, so we have thousands of people on our dial pools), it's 
difficult to track down the malicious ones.  *shrug*


_F

At 12:16 AM 6/1/00 -0700, johnny cal wrote:
>On my name server I get a ton of logs that read
>
>Jun  1 12:09:44 ns named[15567]: unapproved update from
>[208.160.120.131].2319 for mydomain.com
>Jun  1 12:09:45 ns named[15567]: unapproved update from
>[208.160.120.131].2324 for 120.160.208.in-addr.arpa
>Jun  1 12:09:54 ns named[15567]: unapproved update from
>[24.142.186.191].2161 for mydomain.com
>Jun  1 12:09:56 ns named[15567]: unapproved update from
>[24.142.186.191].2166 for 75.142.24.in-addr.arpa
>Jun  1 12:10:10 ns named[15567]: unapproved update from
>[206.157.163.23].3711 for 163.157.206.in-addr.arpa
>Jun  1 12:10:21 ns named[15567]: unapproved update from
>[208.160.122.115].2356 for mydomain.com
>Jun  1 12:10:26 ns named[15567]: unapproved update from
>[208.138.198.228].27594 for mydomain.com
>Jun  1 12:10:27 ns named[15567]: unapproved update from
>[208.138.198.228].27598 for mydomain.com
>                                              unapproved update from 
> [authoritive] for authoritive
>I am wondering why these logs are showing up.  I am an ISP and we are
>incharge (have authority for these classes).   I have read that window
>2000 makes these kind of requests, and that you can block at the router
>for certain queries. Does any of these hold truth.  How can I fix the
>logging so that I don't see just these or stop an "unapproved update".
>
>thank you for your help.  I am running bind 8..2.2p5 and solaris 7
>
>john
>
>
>
>-----------------------------------
>This message was sent with the demo version of Postmaster, a BeOS mail client.
>For more information, please visit http://kennyc.com/postmaster

More information about the bind-users mailing list