Possible System Compromise
Martin McCormick
martin at dc.cis.okstate.edu
Thu Feb 8 12:51:53 UTC 2001
Is there any way to basically prevent this behavior
without breaking proper operation? We have been using bind-8
versions for over a year and why we have suddenly began to
receive occasional complaints is a mystery. The actual system
only has a hand full of accounts on it and they are all
white-hats. Obviously, if it is a bad delegation, there isn't
much we can do, but I bet it is something else. Any of the hosts
that look to this dns will default to it if they do a local
nslookup, but their nslookup should go directly to whatever dns
they select such that any complaints would be about the IP
address of that work station in particular.
I do not want to enter the finger-pointing game any more
than absolutely necessary, but is there any way that a local work
station could query our dns and cause it to do this? We have
only one real sea change in our population going on right now and
it would coincide with the timing of the couple of reports we
have received.
Martin McCormick
Mark.Andrews at nominum.com writes:
> The problem was that you were querying that server and they
> wern't expecting you too. The IP address was being rejected
> not the port.
>
>Feb 7 00:34:54 athena named[2658]: denied query from [ouraddress].42061
>for "anothersystem"
>
> Now you need to work out why your server queried there server.
> The usual cause is a bad delegation. However it could also
> be someone running dig/nslookup on your machine.
More information about the bind-users
mailing list