Unapproved query
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Apr 24 22:25:46 UTC 2002
You need to upgrade yesterday.
http://www.isc.org/products/BIND/bind-security.html
>
> My firewall acts as a split-horizon nameserver for the internal
> network. The local machines use it for DNS, but no outside
> records should point to it. However, I'm getting hundreds of
> log messages like:
>
> Apr 24 08:46:14 firewall named[1511]: unapproved query from
> [207.46.238.97].4713 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:46:15 firewall last message repeated 2 times
> Apr 24 08:47:19 firewall named[1511]: unapproved query from
> [207.46.150.16].34336 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:47:20 firewall last message repeated 2 times
> Apr 24 09:25:12 firewall named[1511]: unapproved query from
> [207.46.238.102].64930 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:25:13 firewall last message repeated 2 times
> Apr 24 09:26:18 firewall named[1511]: unapproved query from
> [207.46.150.13].2900 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:26:19 firewall last message repeated 2 times
>
> The 207 addresses all seem to be in msn or msnbc. I'm guessing
> someone is
> spoofing the source so that my REJECT messages go back to MS and
> cause them problems? I don't think I did anything to get Bill G mad
> at me, except for that unlicensed copy of Excel.
>
> What I'm thinking of doing is adding an ipchains rule like:
>
> ipchains -A input -j DENY -p tcp -d xxx.xxx.xxx.xxx:42 -i eth1
>
> so that the requests will drop silently. Since I've never written
> an ipchains rule before, I thought I'd ask if anyone has done this?
> Better solution?
>
> Oh, firewall is Linux 2.2.12-20, bind is 8.2.2_P7 (yeah, I know, I
> haven't had a chance, yet, OK?).
>
> Thanks,
> Steve
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list