Hack Attempt?

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 27 16:41:15 UTC 2013

On 27/03/13 15:57, Manson, John wrote:
> Found this entry in external named log:
> Mar 26 20:07:18 local at mercury named[4043]: [ID 873579 daemon.notice]
> client **#39043: view outhouse: notify question section
> contains no SOA
> This IP is not one of mine.
> Does the word ‘notify’ related to zone transfers or something else.

NOTIFY is a type of DNS message that a master sends to slaves to tell it 
a new zone is available now (rather than waiting for the refresh to expire).

You wouldn't normally expect to see NOTIFY from clients, but maybe that 
IP is (or thinks it is) a master for a zone you slave?

It might be someone just playing (testing, etc.) or a typo (packet sent 
to wrong nameserver). It's unlikely to be a concerted hack, but even if 
it was it wouldn't matter because you're all up-to-date with patches, right?

Our authoritative resolvers get a *tremendous* amount of crap that they 
shouldn't see. From this, I conclude there's a lot of broken or 
malicious stuff out there, but there's no real solution.

More information about the bind-users mailing list