Oddities in my named.log. Can you explain?

Dawn Connelly dawn.connelly at gmail.com
Fri Dec 5 22:32:08 UTC 2008


Looks to me like someone took their laptop home that is configured for your
active directory domain and the laptop is trying to call home. I use to see
that all the time. I'm guessing that your AD domain and the domain that they
are querying are the same?

On Fri, Dec 5, 2008 at 1:17 PM, Keve Nagy <dont.spam at see.my.sig> wrote:

> Hi Everyone,
> I see some oddities frequently showing up in our BIND logfiles.
> This is on the official primary NS for our domain.
>
> *Oddity_type#1*
> ... view external-in: query: server.EXAMPLE.COM IN SOA -E
>
> Please note that the only thing I changed here is the domain name. I did
> not capitalize it, the original domain name also got logged this way. And
> yes, the original hostname queried was "server", I did not change that
> either. These are repeatedly coming from the same source IP address, once in
> every 10-70 minutes.
> We have never had a host named "server". So why would an external machine
> keep asking for a hostname we never had? Especially with such an obvious
> name! Also, why is the domain part capitalized for these queries, and not in
> any proper/legitimate query? I assume this is what the query was for. The
> original request must have been for server.EXAMPLE.COM, having the domain
> part this way capitalized in the query itself.
> So why would a remote system look for a never existed host named "server"
> in our system, with the domain name capitalized?
> Any legitimate reason you could think of?
>
>
>
> *Oddity_type#2*
>
> ... view external-in: query: server.EXAMPLE.COM IN SOA +
> ... view external-in: updating zone 'example.com/IN': update unsucces
> sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite
> not satisfied (NXRRSET)
>
> Again note, that I only changed the name of the domain and I did not alter
> the capitalization or the hostname. These are from another source IP
> address, but always the same one. For some reason, also looking for the host
> named "server". And a few minutes later, it seems to try to update the
> domain database.
> By the way, no host is allowed to update our DNS records. The zone files
> are updated by hand only. And this has always been the case, no exceptions.
>
>
>
> *Oddity_type#3*
>
> ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA
> -E
> ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA
> -E
> ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve.
> _sites.dc._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee
> fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc
> s.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E
>
> Look at these add hostnames which are queried for!
> These are all systematically returning queries. And these come from
> multiple source IP addresses.
> Are these queries legitimate? I mean, do you know of any system that may be
> doing this? Are these strange hostname queries part of some standard way
> identifying services and I just don't happen to know about this standard?
>
> I would very much appreciate some feedback on these.
> Best regards,
> Keve Nagy * Debrecen * Hungary
>
> --
> if you need to reply directly:
> keve(at)mail(dot)poliod(dot)hu
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Google for President
YouTube for VP
in any year divisible by 4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081205/2cd321c9/attachment.html>


More information about the bind-users mailing list