Weird DNS Problems

Kevin Darcy kcd at
Tue Nov 15 22:16:56 UTC 2005

erik.c.fournier at wrote:

>We are signature based, I assume there was some sort of string match
>that was flagged.
>But I thought it was odd that being a sig based IDS, we STILL saw the
>same thing that the original poster saw. Why? 
It's not that odd at all. The guy is on a 12.*.*.* network ( 
is assigned to AT&T), and it looks like AT&T's nameservers also provide 
a DNS hosting service for many of their clients' forward domains, as 
well as many reverse domains in the tree. So they're 
very popular nameservers, and it's not surprising they'd show up in a 
more-or-less random IDS flagging.

>and who is that? he said
>something about a DNS that resolved to 3 diff names...
I briefly glanced at the old thread, and it looks like there was 
something messed up with the delegations of It's a 
little strange to refer to a delegation as "a DNS that resolved to 3 
diff names": delegations are *supposed* to point to multiple 
nameservers, for redundancy -- in fact, the Internet Standards *require* 
at least 2 nameservers serve every zone. When delegations point to only 
a single nameserver and nameserver address, then that's a big fat Single 
Point of Failure. Something to be avoided.

                                                                  - Kevin

More information about the bind-users mailing list