On Mon, 28 Jan 2002, Kevin Darcy wrote:
> Randy Bush wrote:
>
> > so why are all these spurious updates in my logs? many hundreds a day.
> >
> > 28-Jan-2002 17:41:57.765 security: error: client 63.196.106.137#27584: update
>'psg.com/IN' denied
> Windows 2000. Don't ask me where they get the domain names from;
> sometimes I think they just make them up at random. I get update
> attempts for domains we haven't used in years. Reverse domains too.
Windows 2000 and (recent) friends will attempt to perfom a dynamic update
for both the domain _that the local administrator has configured_ and also
for _the IP address that it has been assigned_.
In Randy's case, its one of:
*) lots of people like 'psg.com' (hence, lots of attempted updates).
or
*) Their default search is '.com', and lots of people like 'psg'.
( Haven't seen this myself )
or
*) The logs are incorrect in recording an update attempt for
'psg.com' and are actually recording an update attempt sent
to a psg.com machine as it is a listed nameserver for a domain
that the local administrator has configured. ( Actually they
try to contact the machine in the MNAME field of the SOA record )
or
*) Something flakey (where they start off by trying to update a
domain that something.psg.com is a listed secondary for, but
end up attempting to update the 'psg.com' itself).
Note that Microsoft has some conditionals in the code to prevent them from
attempting to send dynamic updates to 'known' root servers.
--
Bruce Campbell RIPE
Systems/Network Engineer NCC
www.ripe.net - PGP562C8B1B Operations
