unauthorized update attempts

acorns acorns at joreybump.com
Sat Feb 2 00:27:19 UTC 2002

I'm using bind-9.1.3-4, which defaults to disallow dynamic updates, so I 
realize I'm safe. Here is what is appearing in my log:

Jan 30 01:52:10 ns3 named[13195]: dynamic update failed: 'RRset exists 
(value dependent)' prerequisite not satisfied (NXRRSET)
Jan 30 01:52:10 ns3 named[13195]: client update denied

I've set up ipchains to deny this entire C class, as I have received 
other update attempts from this IP range in the past. It's not one of my 
own hosts (the IP seems to be somewhere in Asia), which makes me wonder 
what these attempts are trying to accomplish.  On my old server (running 
bind 8) the error messages were more verbose, so I could see which 
domain was targeted. We regularly bounce mail for unknown users at this 
domain, which suggests that someone might be trying to use it.

Should I assume this is a hijack attempt, or a misconfigured name 
server? Can anyone recommend any additional precautions?

More information about the bind-users mailing list