Date: Wed, 23 Aug 2000 22:29:29 -0700 From: "Craig Critchley" <cac@fuzzer.com> To: "Igor Roshchin" <str@giganda.komkon.org>, <security@FreeBSD.ORG> Subject: Re: named -- unapproved update (?) Message-ID: <0ef801c00d8c$468ea570$0201010a@craigc> References: <200008240457.AAA03676@giganda.komkon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
If it is indeed Windows 2000 machine with Active Directory Service stuff
going on it, it is trying to do a dynamic DNS update.
Basically it wants to add its name and IP to the zone its configured to be
in. ADS will do this to any DNS it is configured to query, and it won't
give up. This is a Microsoft misfeature. It can be turned off by a
registry entry, but there is no UI for it - look in MS's knowledge base (I'm
sorry that I don't ahve the details immediately available.) Or have them
get rid of ADS entirely.
How exactly it found your machine to update is not clear to me. Perhaps it
is broadcasting to the subnet. I don't pretend to understand Active
Directory Service, all I've done is turn it off once or twice.
...Craig
----- Original Message -----
From: "Igor Roshchin" <str@giganda.komkon.org>
To: <security@FreeBSD.ORG>
Sent: Wednesday, August 23, 2000 9:57 PM
Subject: named -- unapproved update (?)
>
> Hello!
>
> I recently started a named server on one of the computers.
> This server is not announced as a primary or secondary DNS server
> for any of domains, nor it is listed in /etc/resolv.conf
> of any computer (besides the computer it's running on).
>
> Immediately, I started seeing a message:
> Aug 21 18:18:31 <daemon.notice> MYHOST named[1480]: unapproved update from
[XXX.XXX.XXX.NNN].4110 for clientdomain.com
> where "clientdomain.com" - is one of the local domains, and apparently the
quering host is
> in that domain (i.e. strangehost.clientdomain.com), and is
> physically on the same segment of the network (XXX.XXX.XXX),
> and on the same internal (Ethernet) network.
> This message appears twice or four times at once, and each such group
> is spaced from each other by 1-2 to 10 minutes.
>
> Unfortunately currently I have no access to that box, and all I know that
it's
> running Windows (2000?). I am sure it does not have MYHOST in any of the
> configurations.
>
> Questions:
> 1. What those requests mean ?
> 2. What are the possible reasons for them ?
> 3. How did [could ?] that host discover the DNS running,
> except for by scanning all local hosts ? Why would it do that ?
> I know that there exists some trojan that sends some strange queries
> to DNS servers, basically scanning some networks, but it is somewhat
> different here.
> Any ideas what all this could be ?
> Or is it just Windows 2000 strangeness ? If so, is there is any
> way to get rid of those annoying messages ?
>
> Thanks,
>
> Igor
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0ef801c00d8c$468ea570$0201010a>