more questions on bind.....

[Doug Barton]

On Thu, 17 Oct 2002, Elias wrote:

> I just upgraded to bind 8.3.3 and have been getting several CNAME errors.
> Can somebody please explain to me what they mean?
>
> late CNAME in answer section for xxx

Someone is trying to hack your resolver using one of the bugs that has
been fixed in 8.3.3 is the most likely answer. Without some more
information about your configuration (resolver? authoritative? both?) and
some examples of the logs, it's impossible to tell.

> I've also been getting tons of deny update errors in my logs daily.

Ok, so your servers are at least authoritative for some zones...  if
you're running both authoritative service and resolver service on the same
machines, you should consider splitting them onto seperate servers.

> What does this mean? The IP address that gets denied in my logs come
> from all ranges. There's just too many of them. Is this some sort of an
> attack, or is it just a misconfiguration somewhere? Thanks!

Well, depending on your definitions, a little of both. Windows 2000 boxes
try to update the master name server for their domain every time they
boot, and periodically thereafter. If you have access to the broken
systems, you can reconfigure them, however it sounds like this is a bigger
problem. The best way I've found to deal with the symptoms if YOU are not
actually running dynamic dns anywhere is to make the mname in the soa
field something that resolves to 127.0.0.1. I created an A record in my
domain called 'no-dynamic-updates.mydomain.com' and changed the mname
fields for the domains I'm authoritative for to that. Of course, that
doesn't solve the actual problem, but at least it gives your name servers
a break.

Last but not least, you should really buy and read "DNS and BIND, Fourth
Editition" from O'Reilly.

Good luck,

Doug