There is a windows box configured to use your domain name and it is trying to lookup/update the active directory configuration.
Send a "Cease and Desist" letter stating that you are the registered owner of the domain name in question and they should cease using it. Mark In message <[EMAIL PROTECTED]>, Keve Nagy writes: > Hi Everyone, > I see some oddities frequently showing up in our BIND logfiles. > This is on the official primary NS for our domain. > > *Oddity_type#1* > ... view external-in: query: server.EXAMPLE.COM IN SOA -E > > Please note that the only thing I changed here is the domain name. I did > not capitalize it, the original domain name also got logged this way. > And yes, the original hostname queried was "server", I did not change > that either. These are repeatedly coming from the same source IP > address, once in every 10-70 minutes. > We have never had a host named "server". So why would an external > machine keep asking for a hostname we never had? Especially with such an > obvious name! Also, why is the domain part capitalized for these > queries, and not in any proper/legitimate query? I assume this is what > the query was for. The original request must have been for > server.EXAMPLE.COM, having the domain part this way capitalized in the > query itself. > So why would a remote system look for a never existed host named > "server" in our system, with the domain name capitalized? > Any legitimate reason you could think of? > > > > *Oddity_type#2* > > ... view external-in: query: server.EXAMPLE.COM IN SOA + > ... view external-in: updating zone 'example.com/IN': update unsucces > sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' > prerequisite not satisfied (NXRRSET) > > Again note, that I only changed the name of the domain and I did not > alter the capitalization or the hostname. These are from another source > IP address, but always the same one. For some reason, also looking for > the host named "server". And a few minutes later, it seems to try to > update the domain database. > By the way, no host is allowed to update our DNS records. The zone files > are updated by hand only. And this has always been the case, no exceptions. > > > > *Oddity_type#3* > > ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. > _sites.dc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee > fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc > s.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E > > Look at these add hostnames which are queried for! > These are all systematically returning queries. And these come from > multiple source IP addresses. > Are these queries legitimate? I mean, do you know of any system that may > be doing this? Are these strange hostname queries part of some standard > way identifying services and I just don't happen to know about this > standard? > > I would very much appreciate some feedback on these. > Best regards, > Keve Nagy * Debrecen * Hungary > > -- > if you need to reply directly: > keve(at)mail(dot)poliod(dot)hu > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users