From owner-freebsd-security Mon Sep 27 22:34:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id BFCF114F0E for ; Mon, 27 Sep 1999 22:34:14 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id WAA86235; Mon, 27 Sep 1999 22:34:12 -0700 (PDT) (envelope-from dillon) Date: Mon, 27 Sep 1999 22:34:12 -0700 (PDT) From: Matthew Dillon Message-Id: <199909280534.WAA86235@apollo.backplane.com> To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: DNS Concern? References: <199909280449.WAA14300@mt.sri.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :>From my logfile (not modified to protect the innocent..) :---------------------------------------------- :Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) A RR negative cache entry (216.181.127.2:) :Sep 24 23:21:26 ns named[17685]: ns_resp: query(hackerz.org) All possible A RR's lame :Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) A RR negative cache entry (216.181.127.2:) :Sep 24 23:21:26 ns named[17685]: ns_forw: query(hackerz.org) All possible A RR's lame :---------------------------------------------- : : :Is this anything to be concerned about? : : :Nate No. 216.181.127.2 is listed as a NS record by hackerz.org's two DNS sites. hackerz.org must have screwed something up, which doesn't surprise me at all. Their NIC listed NS records do not match their zone-listed NS records. While this isn't illegal (NIC listed NS records are used like a bootstrap), my opinion from reading their zone is that they are somewhat confused. In anycase, it means that your machine is fine: it's using information gotten from the right place rather then information spoofed into your DNS cache. Your log entry simply indicates that 216.181.127.2 was not returning authoritative information on the zone on that day, yet was listed as an NS record (i.e. sites which must return authoritative data). It looks like they fixed whatever the problem wa, 216.181.127.2 is now returning authoritative information. I find the reverse lookup for 216.181.127.2 to be highly amusing: apollo:/home/dillon> nslookup 216.181.127.2 Server: apollo.backplane.com Address: 216.240.41.2 Name: theinternicsucksshit.com Address: 216.181.127.2 heh heh. There is no forward lookup for theinternicsucksshit.com, which may also be causing a problem. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message