From owner-freebsd-isp  Wed May 27 06:54:51 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA04234
          for freebsd-isp-outgoing; Wed, 27 May 1998 06:54:51 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from domino.primelink.com (domino.primelink.com [206.24.58.56])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA04214
          for <freebsd-isp@freebsd.org>; Wed, 27 May 1998 06:54:47 -0700 (PDT)
          (envelope-from kbrown@primelink.com)
From: kbrown@primelink.com
Received: by domino.primelink.com(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))  id 86256611.004C91C0 ; Wed, 27 May 1998 08:56:20 -0500
X-Lotus-FromDomain: HUBER & ASSOCIATES
To: freebsd-isp@FreeBSD.ORG
Message-ID: <86256611.004C1906.00@domino.primelink.com>
Date: Wed, 27 May 1998 08:56:13 -0500
Subject: strange named syslog entries
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Time for another round of named syslog entries questions...

After getting nailed by the latest round of exploit attempts of bind 4.9.3
I recently upgraded to 8.1.1 and have been watching it very closely.

Over the past couple of days, I have found the following entries in my
syslog which concern me:

May 18 02:02:25 ns1 named[4752]: bad referral (29.206.in-addr.arpa !<
125.29.206.in-addr.arpa)
May 18 02:02:25 ns1 named[4752]: bad referral (29.206.in-addr.arpa !<
125.29.206.in-addr.arpa)
May 20 21:00:33 ns1 named[4752]: bad referral (com !< INFIND.com)
May 21 15:13:24 ns1 named[4752]: bad referral (com !< INFIND.com)
May 25 01:59:16 ns1 named[4752]: bad referral (83.72.170.38.in-addr.arpa !<
 *.170.38.in-addr.arpa)
May 25 02:05:46 ns1 named[4752]: bad referral (2.181.165.38.in-addr.arpa !<
 *.165.38.in-addr.arpa)
May 26 08:11:27 ns1 named[4752]: bad referral (ATT.net !<
NS.ELS-GMS.ATT.NET)
May 26 15:03:35 ns1 named[4752]: bad referral (com !<
microsoft-online-sales.com)

What is the cause of this?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message