Re: Oddities in my named.log. Can you explain?
Michael Milligan wrote: [Note: this is really off-topic for bind-users...] How a Microsoft Active Directory controller works and what it does is indeed off-topic in this news group. Your nudging is noted. In my defense however, I could't have known this without the answer, having only a "strongly BIND related" question. :-) Now that I learnt that this is related to a Win2000 and Win2003 behaviour I agree, its further discussion doesn't belong here. I am moving the topic to a more appropriate news group. The first default site name was renamed to Alapertelmezett-elso-hely-neve, this should give you a clue for tracking this down. Not really. "Alapertelmezett-elso-hely-neve" translates directly to "Default-first-place-name". So I believe the remote host is just using a localized language version of a windows server. :-) Thanks for the pointers! Your help is very much appreciated. Regards, Keve -- if you need to reply directly: keve(at)mail(dot)poliod(dot)hu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
Michael Milligan wrote: [Note: this is really off-topic for bind-users...] How a Microsoft Active Directory controller works and what it does is indeed off-topic in this news group. Your nudging is noted. In my defense however, I could't have known this without the answer, having only a "strongly BIND related" question. :-) Now that I learnt that this is related to a Win2000 and Win2003 behaviour I agree, its further discussion doesn't belong here. I am moving the topic to a more appropriate news group. The first default site name was renamed to Alapertelmezett-elso-hely-neve, this should give you a clue for tracking this down. Not really. "Alapertelmezett-elso-hely-neve" translates directly to "Default-first-place-name". So I believe the remote host is just using a localized language version of a windows server. :-) Thanks for the pointers! Your help is very much appreciated. Regards, Keve -- if you need to reply directly: keve(at)mail(dot)poliod(dot)hu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
[Note: this is really off-topic for bind-users...] Somebody stood up a Windows 2003 (or earlier) Active Directory domain controller, probably outside of your firewall since it's matching on your external view, gave it a system name of "server" and created a new Active Directory domain called "EXAMPLE.COM". This (new) server is just trying to establish all the right bits in what it thinks is it's rightful DNS home. The first default site name was renamed to Alapertelmezett-elso-hely-neve, this should give you a clue for tracking this down. Regards, Mike Keve Nagy wrote: > Hi Everyone, > I see some oddities frequently showing up in our BIND logfiles. > This is on the official primary NS for our domain. > > *Oddity_type#1* > ... view external-in: query: server.EXAMPLE.COM IN SOA -E > > Please note that the only thing I changed here is the domain name. I did > not capitalize it, the original domain name also got logged this way. > And yes, the original hostname queried was "server", I did not change > that either. These are repeatedly coming from the same source IP > address, once in every 10-70 minutes. > We have never had a host named "server". So why would an external > machine keep asking for a hostname we never had? Especially with such an > obvious name! Also, why is the domain part capitalized for these > queries, and not in any proper/legitimate query? I assume this is what > the query was for. The original request must have been for > server.EXAMPLE.COM, having the domain part this way capitalized in the > query itself. > So why would a remote system look for a never existed host named > "server" in our system, with the domain name capitalized? > Any legitimate reason you could think of? > > > > *Oddity_type#2* > > ... view external-in: query: server.EXAMPLE.COM IN SOA + > ... view external-in: updating zone 'example.com/IN': update unsucces > sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' > prerequisite not satisfied (NXRRSET) > > Again note, that I only changed the name of the domain and I did not > alter the capitalization or the hostname. These are from another source > IP address, but always the same one. For some reason, also looking for > the host named "server". And a few minutes later, it seems to try to > update the domain database. > By the way, no host is allowed to update our DNS records. The zone files > are updated by hand only. And this has always been the case, no exceptions. > > > > *Oddity_type#3* > > ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. > _sites.dc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee > fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc > s.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E > > Look at these add hostnames which are queried for! > These are all systematically returning queries. And these come from > multiple source IP addresses. > Are these queries legitimate? I mean, do you know of any system that may > be doing this? Are these strange hostname queries part of some standard > way identifying services and I just don't happen to know about this > standard? > > I would very much appreciate some feedback on these. > Best regards, > Keve Nagy * Debrecen * Hungary > -- Michael Milligan -> [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
There is a windows box configured to use your domain name and it is trying to lookup/update the active directory configuration. Send a "Cease and Desist" letter stating that you are the registered owner of the domain name in question and they should cease using it. Mark In message <[EMAIL PROTECTED]>, Keve Nagy writes: > Hi Everyone, > I see some oddities frequently showing up in our BIND logfiles. > This is on the official primary NS for our domain. > > *Oddity_type#1* > ... view external-in: query: server.EXAMPLE.COM IN SOA -E > > Please note that the only thing I changed here is the domain name. I did > not capitalize it, the original domain name also got logged this way. > And yes, the original hostname queried was "server", I did not change > that either. These are repeatedly coming from the same source IP > address, once in every 10-70 minutes. > We have never had a host named "server". So why would an external > machine keep asking for a hostname we never had? Especially with such an > obvious name! Also, why is the domain part capitalized for these > queries, and not in any proper/legitimate query? I assume this is what > the query was for. The original request must have been for > server.EXAMPLE.COM, having the domain part this way capitalized in the > query itself. > So why would a remote system look for a never existed host named > "server" in our system, with the domain name capitalized? > Any legitimate reason you could think of? > > > > *Oddity_type#2* > > ... view external-in: query: server.EXAMPLE.COM IN SOA + > ... view external-in: updating zone 'example.com/IN': update unsucces > sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' > prerequisite not satisfied (NXRRSET) > > Again note, that I only changed the name of the domain and I did not > alter the capitalization or the hostname. These are from another source > IP address, but always the same one. For some reason, also looking for > the host named "server". And a few minutes later, it seems to try to > update the domain database. > By the way, no host is allowed to update our DNS records. The zone files > are updated by hand only. And this has always been the case, no exceptions. > > > > *Oddity_type#3* > > ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. > _sites.dc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee > fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc > s.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E > > Look at these add hostnames which are queried for! > These are all systematically returning queries. And these come from > multiple source IP addresses. > Are these queries legitimate? I mean, do you know of any system that may > be doing this? Are these strange hostname queries part of some standard > way identifying services and I just don't happen to know about this > standard? > > I would very much appreciate some feedback on these. > Best regards, > Keve Nagy * Debrecen * Hungary > > -- > if you need to reply directly: > keve(at)mail(dot)poliod(dot)hu > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
Looks to me like someone took their laptop home that is configured for your active directory domain and the laptop is trying to call home. I use to see that all the time. I'm guessing that your AD domain and the domain that they are querying are the same? On Fri, Dec 5, 2008 at 1:17 PM, Keve Nagy <[EMAIL PROTECTED]> wrote: > Hi Everyone, > I see some oddities frequently showing up in our BIND logfiles. > This is on the official primary NS for our domain. > > *Oddity_type#1* > ... view external-in: query: server.EXAMPLE.COM IN SOA -E > > Please note that the only thing I changed here is the domain name. I did > not capitalize it, the original domain name also got logged this way. And > yes, the original hostname queried was "server", I did not change that > either. These are repeatedly coming from the same source IP address, once in > every 10-70 minutes. > We have never had a host named "server". So why would an external machine > keep asking for a hostname we never had? Especially with such an obvious > name! Also, why is the domain part capitalized for these queries, and not in > any proper/legitimate query? I assume this is what the query was for. The > original request must have been for server.EXAMPLE.COM, having the domain > part this way capitalized in the query itself. > So why would a remote system look for a never existed host named "server" > in our system, with the domain name capitalized? > Any legitimate reason you could think of? > > > > *Oddity_type#2* > > ... view external-in: query: server.EXAMPLE.COM IN SOA + > ... view external-in: updating zone 'example.com/IN': update unsucces > sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite > not satisfied (NXRRSET) > > Again note, that I only changed the name of the domain and I did not alter > the capitalization or the hostname. These are from another source IP > address, but always the same one. For some reason, also looking for the host > named "server". And a few minutes later, it seems to try to update the > domain database. > By the way, no host is allowed to update our DNS records. The zone files > are updated by hand only. And this has always been the case, no exceptions. > > > > *Oddity_type#3* > > ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA > -E > ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. > _sites.dc._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee > fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E > ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc > s.EXAMPLE.COM IN SOA -E > ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E > ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E > > Look at these add hostnames which are queried for! > These are all systematically returning queries. And these come from > multiple source IP addresses. > Are these queries legitimate? I mean, do you know of any system that may be > doing this? Are these strange hostname queries part of some standard way > identifying services and I just don't happen to know about this standard? > > I would very much appreciate some feedback on these. > Best regards, > Keve Nagy * Debrecen * Hungary > > -- > if you need to reply directly: > keve(at)mail(dot)poliod(dot)hu > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Google for President YouTube for VP in any year divisible by 4 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Oddities in my named.log. Can you explain?
Keve Nagy wrote: Hi Everyone, I see some oddities frequently showing up in our BIND logfiles. This is on the official primary NS for our domain. *Oddity_type#1* ... view external-in: query: server.EXAMPLE.COM IN SOA -E Please note that the only thing I changed here is the domain name. I did not capitalize it, the original domain name also got logged this way. And yes, the original hostname queried was "server", I did not change that either. These are repeatedly coming from the same source IP address, once in every 10-70 minutes. We have never had a host named "server". So why would an external machine keep asking for a hostname we never had? Especially with such an obvious name! Also, why is the domain part capitalized for these queries, and not in any proper/legitimate query? I assume this is what the query was for. The original request must have been for server.EXAMPLE.COM, having the domain part this way capitalized in the query itself. So why would a remote system look for a never existed host named "server" in our system, with the domain name capitalized? Any legitimate reason you could think of? They're looking up "server" and they have EXAMPLE.COM as their default domain or in their searchlist. Why do they have their default domain or searchlist set to that? No idea. Ask them. *Oddity_type#2* ... view external-in: query: server.EXAMPLE.COM IN SOA + ... view external-in: updating zone 'example.com/IN': update unsucces sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Again note, that I only changed the name of the domain and I did not alter the capitalization or the hostname. These are from another source IP address, but always the same one. For some reason, also looking for the host named "server". And a few minutes later, it seems to try to update the domain database. By the way, no host is allowed to update our DNS records. The zone files are updated by hand only. And this has always been the case, no exceptions. They have their default domain set to EXAMPLE.COM and they're trying to register their A records in DNS every time they get a new lease from DHCP. *Oddity_type#3* ... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve. _sites.dc._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E ... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc s.EXAMPLE.COM IN SOA -E ... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E ... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E Look at these add hostnames which are queried for! These are all systematically returning queries. And these come from multiple source IP addresses. Are these queries legitimate? I mean, do you know of any system that may be doing this? Are these strange hostname queries part of some standard way identifying services and I just don't happen to know about this standard? It's Active Directory. Those queries would be perfectly normal for an Active Directory-enabled PC with EXAMPLE.COM set as the Active Directory domain *if* the the queries were of type SRV instead of SOA. I, too, see a few SOA queries of AD-looking names, but the vast majority are SRV. My only speculation would be that some routine within the Active Directory subsystem is trying to find the "closest-enclosing zone" (CEZ) of a particular name by issuing an SOA query. This makes CEZ-determination relatively easy, since you just look for an SOA in the response, in either the Answer Section (if the name happened to be the apex of the zone) *or* the Authority Section (if the apex is higher up in the hierarchy). If one uses a query type other than SOA for CEZ-determination, then you have to parse different kinds of responses, looking for different types of records, and the parsing is a little more complicated. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
