Re: repeated zone transfer denied

From: Dave Dittrich (dittrichat_private)
Date: Tue Oct 09 2001 - 00:37:06 PDT

  • Next message: Christian Sarmoria: "Re: Port 17889 - new attack?"

    On Mon, 8 Oct 2001, Ray wrote:
    > I have got the following message in syslog file every 20 minutes for many
    > consecutive days. It appear to come from the same IP.  Anybody have idea
    > what he intend to do ?
    > Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client
    > zone transfer denied
    > <repeated 4 times>
    Could be this (pain in the #^$$) courtesy of Microsoft's default
    configuration of Win2K and failure for it to stop trying after, oh
    say, the first 100 failures!)
    This is part of the boilerplate I occasionally send out to dozens
    of network contacts/admins...
        This is a generic message intended for the owners/administrators of
        Windows 2000 systems ...
                      ... attempting unauthorized DNS zone updates as
        a result of unsupported Windows 2000 Dynamic DNS configurations.
    One or more of your systems ...    most likely Windows 2000 systems
    with default Dynamic DNS configurations, are making repeated attempts
    to update DNS mappings on the UW central DNS servers.  We do not
    support this, so these show up in our reports as refused attempts.
    We are sending this message to identify and assist those
    people who have mis-configured Windows 2000 systems.
    If you are ... you should have
    already received instructions on how to turn off Dynamic DNS.
    If not, the following references should assist you:
      How to Enable/Disable Windows 2000 Dynamic DNS Registrations
      How to Disable Windows 2000 Dynamic Domain Name System Registrations
      with Group Policy
    If you have any questions about turning off Dynamic DNS updates,
    please contact ... and request assistance.
    This problem has lasted longer than Code Red, and is just as hard to
    deal with in trying to get in touch with admins and get them to fix
    (Then again, could be someone who just downloaded a bind sploit. ;)
    Dave Dittrich                           Computing & Communications
    dittrichat_private             University Computing Services    University of Washington
    PGP key
    Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 08:33:00 PDT