Date: Thu, 24 Aug 2000 15:18:03 +1000 From: "Joe Shevland" <shevlandj@kpi.com.au> To: "Igor Roshchin" <str@giganda.komkon.org>, <security@FreeBSD.ORG> Subject: RE: named -- unapproved update (?) Message-ID: <NEBBKPJCEMMGFBLGLENGGEHHCAAA.shevlandj@kpi.com.au> In-Reply-To: <200008240457.AAA03676@giganda.komkon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm out of my depth here to answer all your questions, but 1) Win2K has = a 'feature' to automatically update the DNS with its information which = may be what you're seeing. I see a lot of 'microsoft-ds' packets = floating around anyway from the Win2K boxes. I can't fathom what an = abortion of a feature this is. 3) I'm not sure, I suspect a broadcast UDP request (??) and finally, yes, I believe you can turn this behaviour off in the LAN = settings (uncheck the 'Register this connections details in the DNS' = checkbox in your Control Panel->Network Settings->LAN->TCP/IP->Advanced = settings. Keen to know more on this also, Joe > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Igor Roshchin > Sent: Thursday, August 24, 2000 2:58 PM > To: security@FreeBSD.ORG > Subject: named -- unapproved update (?) >=20 >=20 >=20 > Hello! >=20 > I recently started a named server on one of the computers. > This server is not announced as a primary or secondary DNS server > for any of domains, nor it is listed in /etc/resolv.conf > of any computer (besides the computer it's running on). >=20 > Immediately, I started seeing a message: > Aug 21 18:18:31 <daemon.notice> MYHOST named[1480]: unapproved=20 > update from [XXX.XXX.XXX.NNN].4110 for clientdomain.com > where "clientdomain.com" - is one of the local domains, and=20 > apparently the quering host is > in that domain (i.e. strangehost.clientdomain.com), and is=20 > physically on the same segment of the network (XXX.XXX.XXX), > and on the same internal (Ethernet) network. > This message appears twice or four times at once, and each such group > is spaced from each other by 1-2 to 10 minutes. >=20 > Unfortunately currently I have no access to that box, and all I=20 > know that it's > running Windows (2000?). I am sure it does not have MYHOST in any of = the=20 > configurations. >=20 > Questions: > 1. What those requests mean ? > 2. What are the possible reasons for them ? > 3. How did [could ?] that host discover the DNS running, > except for by scanning all local hosts ? Why would it do that ? > I know that there exists some trojan that sends some strange queries > to DNS servers, basically scanning some networks, but it is somewhat > different here. > Any ideas what all this could be ? > Or is it just Windows 2000 strangeness ? If so, is there is any > way to get rid of those annoying messages ? >=20 > Thanks, >=20 > Igor >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBKPJCEMMGFBLGLENGGEHHCAAA.shevlandj>