Hi everyone:
Got a call from another sysadmin this morning. He said that our DNS server
(NT4/SP6a/MS-DNS) was flooding his DNS server (Ultrix?/BIND 8) with queries.
He produced this snippet of his log file as proof:
---
Mar 15 12:03:15 surfdns1 named[1817]: host name
"210\.212\.235\.95.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:20 surfdns1 named[1817]: host name
"210\.212\.235\.96.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:23 surfdns1 named[1817]: host name
"207\.211\.73\.225.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:29 surfdns1 named[1817]: host name
"210\.212\.235\.97.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:29 surfdns1 named[1817]: host name
"207\.211\.73\.226.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:36 surfdns1 named[1817]: host name
"207\.211\.73\.227.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
Mar 15 12:03:38 surfdns1 named[1817]: host name
"210\.212\.235\.98.hhss.edu.gd" IN (response from [205.214.207.99]) is
invalid - proceeding anyway
---
Any ideas on what's going on here? Our DNS server (205.214.207.99) hosts the
"edu.gd" domain, and "hhss.edu.gd" is a FQDN for one of the servers in that
domain.
The incrementing IP numbers (e.g. 210.212.235.96...98) in the log entries
make me suspicious that it might be a security issue, hence my cross-posting
to the firewalls and NT sysadmins lists.
Regards,
Brian Steele
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
