unapproved update

Jim Reid jim at rfc1035.com
Thu Jun 1 23:39:52 UTC 2000


>>>>> "johnny" == johnny cal <johnnycal at ispchannel.com> writes:


    johnny> On my name server I get a ton of logs that read 
    johnny> Jun 1 12:09:44 ns named[15567]: unapproved update from [208.160.120.131].2319 for mydomain.com

    johnny> I am wondering why
    johnny> these logs are showing up.  I am an ISP and we are
    johnny> incharge (have authority for these classes).  I have read
    johnny> that window 2000 makes these kind of requests, and that
    johnny> you can block at the router for certain queries. Does any
    johnny> of these hold truth.  How can I fix the logging so that I
    johnny> don't see just these or stop an "unapproved update".

The chances are that these update requests are coming from W2K
boxes. [Thanks a bunch Bill!] However they may be coming from other
systems who might be trying to attack your name servers and change the
contents of your zones. There are several ways to deal with this. One
is to configure a router or firewall to spot these update packets and
drop them or bounce them back to the source. That'll stop your name
server getting these requests, but it would also block valid dynamic
updates - say from a trusted DHCP server - if you had them.

Stopping the unapproved updates is harder. You need to reconfigure
those systems to stop them sending update requests. Or you approve
these updates and just let those those boxes have unfettered write
access to your zone data which is probably not a good idea. Think
about the consequences of that.

Now you can make the name server discard log messages about these
unapproved updates. But this isn't wise either. One of these updates
could mean someone or something is up to no good. Or it could just be
another W2K system trying to do stupid things. Who can tell? It all
depends on whether you care about unapproved dynamic update requests.
Mostly they'll be harmless, but there's always the chance that they
indicate something more sinister is going on.



More information about the bind-users mailing list