Looks to me like someone took their laptop home that is configured for your active directory domain and the laptop is trying to call home. I use to see that all the time. I'm guessing that your AD domain and the domain that they are querying are the same?
On Fri, Dec 5, 2008 at 1:17 PM, Keve Nagy <[EMAIL PROTECTED]> wrote: > Hi Everyone, > I see some oddities frequently showing up in our BIND logfiles. > This is on the official primary NS for our domain. > > *Oddity_type#1* > ... view external-in: query: server.EXAMPLE.COM IN SOA -E > > Please note that the only thing I changed here is the domain name. I did > not capitalize it, the original domain name also got logged this way. And > yes, the original hostname queried was "server", I did not change that > either. These are repeatedly coming from the same source IP address, once in > every 10-70 minutes. > We have never had a host named "server". So why would an external machine > keep asking for a hostname we never had? Especially with such an obvious > name! Also, why is the domain part capitalized for these queries, and not in > any proper/legitimate query? I assume this is what the query was for. The > original request must have been for server.EXAMPLE.COM, having the domain > part this way capitalized in the query itself. > So why would a remote system look for a never existed host named "server" > in our system, with the domain name capitalized? > Any legitimate reason you could think of? > > > > *Oddity_type#2* > > ... view external-in: query: server.EXAMPLE.COM IN SOA + > ... view external-in: updating zone 'example.com/IN': update unsucces > sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite > not satisfied (NXRRSET) > > Again note, that I only changed the name of the domain and I did not alter > the capitalization or the hostname. These are from another source IP > address, but always the same one. For some reason, also looking for the host > named "server". And a few minutes later, it seems to try to update the > domain database. > By the way, no host is allowed to update our DNS records. The zone files > are updated by hand only. And this has always been the case, no exceptions. > > > > *Oddity_type#3* > > ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. > _sites.dc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee > fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc > s.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E > > Look at these add hostnames which are queried for! > These are all systematically returning queries. And these come from > multiple source IP addresses. > Are these queries legitimate? I mean, do you know of any system that may be > doing this? Are these strange hostname queries part of some standard way > identifying services and I just don't happen to know about this standard? > > I would very much appreciate some feedback on these. > Best regards, > Keve Nagy * Debrecen * Hungary > > -- > if you need to reply directly: > keve(at)mail(dot)poliod(dot)hu > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Google for President YouTube for VP in any year divisible by 4
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users