Weird DNS Problems
kcd at daimlerchrysler.com
Tue Nov 15 22:16:56 UTC 2005
erik.c.fournier at nga.mil wrote:
>We are signature based, I assume there was some sort of string match
>that was flagged.
>But I thought it was odd that being a sig based IDS, we STILL saw the
>same thing that the original poster saw. Why?
It's not that odd at all. The guy is on a 12.*.*.* network (188.8.131.52/8
is assigned to AT&T), and it looks like AT&T's nameservers also provide
a DNS hosting service for many of their clients' forward domains, as
well as many reverse domains in the 12.in-addr.arpa tree. So they're
very popular nameservers, and it's not surprising they'd show up in a
more-or-less random IDS flagging.
>and who is that? he said
>something about a DNS that resolved to 3 diff names...
I briefly glanced at the old thread, and it looks like there was
something messed up with the delegations of saturncorp.com. It's a
little strange to refer to a delegation as "a DNS that resolved to 3
diff names": delegations are *supposed* to point to multiple
nameservers, for redundancy -- in fact, the Internet Standards *require*
at least 2 nameservers serve every zone. When delegations point to only
a single nameserver and nameserver address, then that's a big fat Single
Point of Failure. Something to be avoided.
More information about the bind-users