DoS?

Sam Pointer sam.pointer at hpdsoftware.com
Thu Oct 24 14:48:35 UTC 2002 

I am also now receiving these from another 2 IP addresses in Mexico. Again,
because of your advice I am not concerned and post merely out of interest.
The IPs are 207.248.224.71 and 207.248.224.72, and are assigned to a
completely different company.

The records they are trying to insert are *exactly* the same..., and I mean
exactly - even down to the machine-specifc portions of the records... which
leads me to think that this may be more than a simple screw-up on someone's
part.

Maybe I am being overly paranoid, maybe not (here's some examples):

client 200.76.208.70#54177: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA
client 207.248.224.71#17100: query:
_ldap._tcp.447095c0-a735-4352-81a2-e96529823cab.domains._msdcs.hpdsc.com IN
SOA

client 207.248.224.71#16265: query: PRDCMX01.hpdsc.com IN SOA
client 200.76.208.65#3711: query: PRDCMX01.hpdsc.com IN SOA

-----Original Message-----
From: Len Conrad [mailto:LConrad at Go2France.com]
Sent: 24 October 2002 14:52
To: bind-users at isc.org
Subject: Re: DoS?




>I am getting bombarded with entries in my query and syslog files. Here is a
>small subset:
>
>BIND query.log:
>client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV

Some MS GUI jockey randomly clicking on radio buttons has screwed up his MS 
DNS.

>client 200.76.208.70#54177: query: _ldap._tcp.dc._msdcs.hpdsc.com IN SRV

These are queries for MS Active Directory services, located via SRV records.

The underscore domain names, their queries, and SRV records are strictly 
intranet items that should never leak out to public internet.

Like MS's other famous screw up of making all w2k/xp OS's "register" their 
A records with DNS (ie, run as dynamic zone updaters) by default, these SRV 
thingies are harmless other than filling up your logs and wasting your 
resources.

In bind,

options {blackhole {address_match_list } ; };

... will minimize the effects on your BIND machine.

Len



This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

 At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk.  All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to 
HPD Software Limited or its affiliates.

More information about the bind-users mailing list