From owner-freebsd-security Wed Aug 23 22:12:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id F082D37B42C for ; Wed, 23 Aug 2000 22:12:43 -0700 (PDT) Received: from forge (www.kpi.com.au [203.39.132.210]) by www.kpi.com.au (8.9.3/8.9.3) with SMTP id PAA11609; Thu, 24 Aug 2000 15:16:34 +1000 (EST) (envelope-from shevlandj@kpi.com.au) From: "Joe Shevland" To: "Igor Roshchin" , Subject: RE: named -- unapproved update (?) Date: Thu, 24 Aug 2000 15:18:03 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200008240457.AAA03676@giganda.komkon.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm out of my depth here to answer all your questions, but 1) Win2K has = a 'feature' to automatically update the DNS with its information which = may be what you're seeing. I see a lot of 'microsoft-ds' packets = floating around anyway from the Win2K boxes. I can't fathom what an = abortion of a feature this is. 3) I'm not sure, I suspect a broadcast UDP request (??) and finally, yes, I believe you can turn this behaviour off in the LAN = settings (uncheck the 'Register this connections details in the DNS' = checkbox in your Control Panel->Network Settings->LAN->TCP/IP->Advanced = settings. Keen to know more on this also, Joe > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Igor Roshchin > Sent: Thursday, August 24, 2000 2:58 PM > To: security@FreeBSD.ORG > Subject: named -- unapproved update (?) >=20 >=20 >=20 > Hello! >=20 > I recently started a named server on one of the computers. > This server is not announced as a primary or secondary DNS server > for any of domains, nor it is listed in /etc/resolv.conf > of any computer (besides the computer it's running on). >=20 > Immediately, I started seeing a message: > Aug 21 18:18:31 MYHOST named[1480]: unapproved=20 > update from [XXX.XXX.XXX.NNN].4110 for clientdomain.com > where "clientdomain.com" - is one of the local domains, and=20 > apparently the quering host is > in that domain (i.e. strangehost.clientdomain.com), and is=20 > physically on the same segment of the network (XXX.XXX.XXX), > and on the same internal (Ethernet) network. > This message appears twice or four times at once, and each such group > is spaced from each other by 1-2 to 10 minutes. >=20 > Unfortunately currently I have no access to that box, and all I=20 > know that it's > running Windows (2000?). I am sure it does not have MYHOST in any of = the=20 > configurations. >=20 > Questions: > 1. What those requests mean ? > 2. What are the possible reasons for them ? > 3. How did [could ?] that host discover the DNS running, > except for by scanning all local hosts ? Why would it do that ? > I know that there exists some trojan that sends some strange queries > to DNS servers, basically scanning some networks, but it is somewhat > different here. > Any ideas what all this could be ? > Or is it just Windows 2000 strangeness ? If so, is there is any > way to get rid of those annoying messages ? >=20 > Thanks, >=20 > Igor >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message