Named errors

Wed Jun 28 17:45:58 UTC 2006

> Subject: RE: Named errors
> Date: Wed, 28 Jun 2006 13:21:07 -0400
> From: "Jeff Lightner" <jlightner at water.com>
> To: <gary at catapult.com>, "Kevin Darcy" <kcd at daimlerchrysler.com>
> Cc: <bind-users at isc.org>
> 
> Well now it IS broke ain't it?
> 
> If you tell them the most likely cause is that you were hacked that in
> tandem with the fact it is not working properly should get them to let
> you upgrade.

Actually, I'd put it more 'diplomatically' as in:

" The Bind that we are using is WELL past its "use-by" date.  I need to
upgrade to a much later version.  although I cannot positively state
that our name server has been hacked, everything I have now points to
that.

I'll also need to reinstall the OS because, if we HAVE been hacked,
after I get done cleaning things up, I really won't know with 100%
certainty that I've eliminated any/all "back-doors".  Really, the only
way to be sure we have a "secure" system is to install from scratch."

Regards,
Gregory Hicks

> 
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
> Behalf Of Gary Lopez
> Sent: Wednesday, June 28, 2006 1:07 PM
> To: Kevin Darcy
> Cc: bind-users at isc.org
> Subject: Re: Named errors
> 
> Thanks Kevin.
> 	I am trying to convince to company to upgrade. This is a company
> that 
> believes in "if it ain't broke don't upgrade it".
> 
> Gary D Lopez
> Unix Systems Administrator
> Catapult Communications
> 160 S Whisman Rd
> Mountain View, CA 94041
> Ph  (650) 314-1029
> Fax (650) 960-1029
> 
> 
> Kevin Darcy wrote:
> > Gary Lopez wrote:
> >> Hello everyone,
> >>      This problem started over the weekend and not sure why. I have
> been 
> >> running the same version of bind 8.1.2 on Solaris 2.7 for the past 4 
> >> years without incident. Since this weekend however I started seeing 
> >> error messages about wrong ans. name and bad referrals. Is this an 
> >> attack or is there something in my bind configuration I need to
> modify?
> >>
> >> example:
> >>
> >> Jun 27 07:21:40 named[11645]: bad referral (. !< pebble.com)
> >> Jun 27 07:21:40 DNS-server named[11645]: bad referral 
> >> (169.218.in-addr.arpa !< 87.169.218.in-addr.arpa)
> >> Jun 27 07:21:40 DNS-server last message repeated 1 time
> >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name 
> >> (g.www.ms.akadns.net != toggle.www.ms.akadns.net)
> >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name 
> >> (lb1.www.ms.akadns.net != toggle.www.ms.akadns.net)
> >> Jun 27 07:21:51 DNS-server last message repeated 5 times
> >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name 
> >> (lb1.www.ms.akadns.net != g.www.ms.akadns.net)
> >> Jun 27 07:21:51 DNS-server last message repeated 3 times
> >> Jun 27 07:22:09 DNS-server named[11645]: bad referral (. !<
> sandgrabber.com)
> >>   
> > Probably nothing in your configuration you can do to affect this.
> > 
> > Is it an attack? Quite likely, since 8.1.2 is/was very exploitable.
> > 
> > You *really* need to upgrade. BIND 8 is up to 8.4.7, and BIND 9 (a 
> > complete rewrite and the preferred version) is up to 9.3.2.
> > 
> >
> 
> >             - Kevin
> > 
> > 
> > 
> 
> 
> 

-------------------------------------------------------------------
Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1          | Fax:      408.894.3400
San Jose, CA 95134                   | Internet: ghicks at cadence.com

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton