Hello, A few weeks ago I sent an email to this group enquiring about "approved AXFR". I received a couple of replies which basically told me not to worry. However, I have again received a report from Logcheck, (see below). Interestingly, I received a similar report for my only other dot ie(Ireland) domain 2 hours later. Nothing like this for any of my dot com domains. I sent the Irish Registry an email - please see their reply below. I would be grateful, if anybody could shed some extra light on this.
Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720 for "gregans.ie" Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN) to [202.54.50.211].3720 Declan, Your log messages mean that someone, likely in the Bombay area of India, has helped himself to a copy of the zone file for each of these domains. Many domain administrators block zone transfer except from slave servers and from servers belonging to recognized statistical projects. I expect you can do this with a simple directive in your name server configuration. This is certainly the case for BIND. If you are inclined to view this access as abuse, the following information from the APNIC whois server will probably be of use. APNIC administer the allocation of IP addresses in the Asia-Pacific region, just as the RIPE-NCC does in the extended European region. You will see that the address mentioned in your logs belongs to the range shown below. [whois.apnic.net] % Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html % (whois6.apnic.net) inetnum: 202.54.50.0 - 202.54.50.255 netname: VSNL-NAGPUR descr: Nagpur Internet Node country: IN admin-c: NS1-IN tech-c: NS1-IN mnt-by: VSNL-MAINT changed: [EMAIL PROTECTED] 971219 source: APNIC person: NEERAJ SONKER address: VIDESH SANCHAR NIGAM LTD. address: VIDESH SANCHAR BHAWAN, M.G.ROAD, FORT, BOMBAY 400 001 phone: +91 22 2624020 ext 2167 fax-no: +91 22 2624070 e-mail: [EMAIL PROTECTED] nic-hdl: NS1-IN notify: [EMAIL PROTECTED] changed: [EMAIL PROTECTED] 951117 source: APNIC One recognized statistical project for which I would recommend you allow zone transfer is the RIPE hostcount, a monthly count of all the systems on the Internet in the RIPE area. For this purpose, ie-collector.hostcount.ripe.net (193.1.193.194) will need access to your zone file. I notice that your two servers for gregans.ie appear to be on the same IP subnet: ns2.achieve-it.com. 0S IN A 212.67.197.39 ns.achieve-it.com. 0S IN A 212.67.197.38 This arrangement means that the domain has a single point of failure in the network equipment which connects this network. You may wish to review your placement of the DNS servers. Copying of the zone file has no direct bearing on mail system performance. At 14:15 +0000 27-01-2002, Achieve Website Design wrote: >Hello, >I have a Colocated Raq4 server, located in the UK, from which I host approx. >50 sites. Two of these sites, have dot ie extensions, gregans.ie & >flowersbylucy.ie . My server sends me log reports every hour, and I have >just noticed the report below. I have nothing to do with the address >202.54.50.211. I also got this report in a later report, reporting the same >for flowersbylucy.ie. This happened before, a few weeks ago, but I didn't >take too much notice as everything else seemed to be O.K. I have never >received such a report for any of the dot com/net domains which I have >hosted on my server. > >However, last week, email which I was sending to gregans.ie was " >dissappearing and as such I am wondering if the report below, could be the >problem. > >Unusual System Events >=-=-=-=-=-=-=-=-=-=-= >Jan 26 19:19:23 ns named[420]: approved AXFR from [202.54.50.211].3720 for >"gregans.ie" >Jan 26 19:19:23 ns named[420]: zone transfer (AXFR) of "gregans.ie" (IN) to >[202.54.50.211].3720 > >Regards, >Declan Connolly. > >Achieve Website Design >Cartron Road >Kinvara >Co. Galway. >twl. 091 637500 -- Best regards, Niall O'Reilly PSTN: +353 (0)1 230 0797 Technical Manager, IE Domain Registry Ltd GSM: +353 (0)87 221 0237 The IE Domain Registry wishes you a happy and successful year in 2002. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
