There is a windows box configured to use your domain name
        and it is trying to lookup/update the active directory
        configuration.

        Send a "Cease and Desist" letter stating that you are the
        registered owner of the domain name in question and they
        should cease using it.

        Mark

In message <[EMAIL PROTECTED]>, Keve Nagy writes:
> Hi Everyone,
> I see some oddities frequently showing up in our BIND logfiles.
> This is on the official primary NS for our domain.
> 
> *Oddity_type#1*
> ... view external-in: query: server.EXAMPLE.COM IN SOA -E
> 
> Please note that the only thing I changed here is the domain name. I did 
> not capitalize it, the original domain name also got logged this way. 
> And yes, the original hostname queried was "server", I did not change 
> that either. These are repeatedly coming from the same source IP 
> address, once in every 10-70 minutes.
> We have never had a host named "server". So why would an external 
> machine keep asking for a hostname we never had? Especially with such an 
> obvious name! Also, why is the domain part capitalized for these 
> queries, and not in any proper/legitimate query? I assume this is what 
> the query was for. The original request must have been for 
> server.EXAMPLE.COM, having the domain part this way capitalized in the 
> query itself.
> So why would a remote system look for a never existed host named 
> "server" in our system, with the domain name capitalized?
> Any legitimate reason you could think of?
> 
> 
> 
> *Oddity_type#2*
> 
> ... view external-in: query: server.EXAMPLE.COM IN SOA +
> ... view external-in: updating zone 'example.com/IN': update unsucces
> sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' 
> prerequisite not satisfied (NXRRSET)
> 
> Again note, that I only changed the name of the domain and I did not 
> alter the capitalization or the hostname. These are from another source 
> IP address, but always the same one. For some reason, also looking for 
> the host named "server". And a few minutes later, it seems to try to 
> update the domain database.
> By the way, no host is allowed to update our DNS records. The zone files 
> are updated by hand only. And this has always been the case, no exceptions.
> 
> 
> 
> *Oddity_type#3*
> 
> ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA
> -E
> ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA
> -E
> ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve.
> _sites.dc._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee
> fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E
> ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc
> s.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E
> ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E
> 
> Look at these add hostnames which are queried for!
> These are all systematically returning queries. And these come from 
> multiple source IP addresses.
> Are these queries legitimate? I mean, do you know of any system that may 
> be doing this? Are these strange hostname queries part of some standard 
> way identifying services and I just don't happen to know about this 
> standard?
> 
> I would very much appreciate some feedback on these.
> Best regards,
> Keve Nagy * Debrecen * Hungary
> 
> -- 
> if you need to reply directly:
> keve(at)mail(dot)poliod(dot)hu
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to