Re: repeated zone transfer denied

From: Dave Dittrich (dittrichat_private)
Date: Tue Oct 09 2001 - 11:54:19 PDT

  • Next message: Dietmar Braun: "Port 56035?"

    On Tue, 9 Oct 2001, Dave Dittrich wrote:
    
    > On Mon, 8 Oct 2001, Ray wrote:
    >
    > > I have got the following message in syslog file every 20 minutes for many
    > > consecutive days. It appear to come from the same IP.  Anybody have idea
    > > what he intend to do ?
    > >
    > >
    > > Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
    > > zone transfer denied
    > > <repeated 4 times>
    >
    > Could be this (pain in the #^$$) courtesy of Microsoft's default
    > configuration of Win2K and failure for it to stop trying after, oh
    > say, the first 100 failures!)...
    
    I think I read Ray's error message too quickly.  I was refering to
    refused zone UPDATES, not zone TRANSFERS.
    
    Someone from Microsoft pointed out that DDNS queries don't use zone
    transfers, which made me go back to the reports I see (every day)
    of processed logs, which look like:
    
    
    Unapproved zone updates:
    
    57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXX.XXX.128.in-addr.arpa
    57 occurrences of: denied update from [128.XXX.XXX.XXX] for XXXXXX.washington.edu
                             [600 lines deleted]
    
    115 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
    191 occurrences of: denied update from [65.XXX.XXX.XXX] for XXXX.washington.edu
    560 occurrences of: denied update from [61.XXX.XXX.XX] for XXXX.org
    596 occurrences of: denied update from [61.XXX.XX..X] for XXXX.org
    60 occurrences of: denied update from [216.XXX.XX.XX] for XXXXXXX.washington.edu
    
    (I'd hate to see the full system log!)
    
    --
    Dave Dittrich                           Computing & Communications
    dittrichat_private             University Computing Services
    http://staff.washington.edu/dittrich    University of Washington
    
    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
    Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
    
    
    --
    Dave Dittrich                           Computing & Communications
    dittrichat_private             University Computing Services
    http://staff.washington.edu/dittrich    University of Washington
    
    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
    Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 12:27:33 PDT