From owner-freebsd-security Thu Aug 24 0:54:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from plum.flirble.org (plum.flirble.org [195.40.6.20]) by hub.freebsd.org (Postfix) with ESMTP id 7C56237B424 for ; Thu, 24 Aug 2000 00:54:33 -0700 (PDT) Received: from scot (helo=localhost) by plum.flirble.org with local-esmtp (Exim 3.12 #5) id 13RrqA-000Lxc-00; Thu, 24 Aug 2000 08:54:22 +0100 Date: Thu, 24 Aug 2000 08:54:22 +0100 (BST) From: scot@poptart.org X-Sender: scot@plum.flirble.org To: Igor Roshchin Cc: security@freebsd.org Subject: Re: named -- unapproved update (?) In-Reply-To: <200008240457.AAA03676@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah - I had the same thing when I installed a Win2K server. It tried to poke SVR entries at the primary NS for the zone that corresponds to it's domain, for stuff like the domain's active directory and Kerberos hosts. That's why it checks name servers during install and usually wants to become a master that zone. We've moved our Win2K servers into a subdomain that we allow updates to (eg. win2k.my.domain) which fixed everything.. Hope that helps Scot On Thu, 24 Aug 2000, Igor Roshchin wrote: > > Hello! > > I recently started a named server on one of the computers. > This server is not announced as a primary or secondary DNS server > for any of domains, nor it is listed in /etc/resolv.conf > of any computer (besides the computer it's running on). > > Immediately, I started seeing a message: > Aug 21 18:18:31 MYHOST named[1480]: unapproved update from [XXX.XXX.XXX.NNN].4110 for clientdomain.com > where "clientdomain.com" - is one of the local domains, and apparently the quering host is > in that domain (i.e. strangehost.clientdomain.com), and is > physically on the same segment of the network (XXX.XXX.XXX), > and on the same internal (Ethernet) network. > This message appears twice or four times at once, and each such group > is spaced from each other by 1-2 to 10 minutes. > > Unfortunately currently I have no access to that box, and all I know that it's > running Windows (2000?). I am sure it does not have MYHOST in any of the > configurations. > > Questions: > 1. What those requests mean ? > 2. What are the possible reasons for them ? > 3. How did [could ?] that host discover the DNS running, > except for by scanning all local hosts ? Why would it do that ? > I know that there exists some trojan that sends some strange queries > to DNS servers, basically scanning some networks, but it is somewhat > different here. > Any ideas what all this could be ? > Or is it just Windows 2000 strangeness ? If so, is there is any > way to get rid of those annoying messages ? > > Thanks, > > Igor > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message