Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Raul Dias
I don't think I have these info: # rndc status version: 9.9.5-9+deb8u8-Debian (DNS server) CPUs found: 24 worker threads: 24 UDP listeners per interface: 24 number of zones: 111 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients:

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Reindl Harald
Am 07.02.2017 um 23:52 schrieb Alberto Colosi: The truth is to solve it not to ask what an hacker (maybe a child runned a tool found on internet as virus toolkits). the truth is to *find out* what happens and since it's more likely that some forgotten piece of cronscript lives somewhere

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alberto Colosi
the stuff trying to replace it will error out in cronmails or syslog > > *From:* bind-users <bind-users-boun...@lists.isc.org> on behalf of Alan > Clegg <a...@clegg.com> > *Sent:* Tuesday, February 7,

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alan Clegg
On 2/7/17 4:31 PM, Alberto Colosi wrote: > lucky you say > > zombie host and hijacked resourced poisoned DNS are not an hack > > In years as Security Desk Seat I had at leat one attack from zombie > hosts from a US University. Admins even not known was hacked. > > Target of hackers is not only

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alberto Colosi
a zombie host is a valuable item for them. From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Alan Clegg <a...@clegg.com> Sent: Tuesday, February 7, 2017 10:48 PM To: bind-users@lists.isc.org Subject: Re: bind 9 goes rogue and

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Reindl Harald
lists.isc.org> on behalf of Alan Clegg <a...@clegg.com> *Sent:* Tuesday, February 7, 2017 10:48 PM *To:* bind-users@lists.isc.org *Subject:* Re: bind 9 goes rogue and revert zone information On 2/7/17 8:42 AM, Alberto Colosi wrote: IP ports not open does not mean is not hacked. a vulnerabili

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alan Clegg
On 2/7/17 8:42 AM, Alberto Colosi wrote: > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resetting the data every 24

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Warren Kumari
can give a plus to find a solution (check all IP traffic out from TCP/UDP > 53) > > > If you have RNDC , change KEY or disable it > > > > > -- > *From:* Raul Dias <r...@dias.com.br> <r...@dias.com.br> > *Sent:* Tuesday, February

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Barry Margolin
In article , Raul Dias wrote: > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os > a master zone. > This happens during the

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Raul Dias
have RNDC , change KEY or disable it *From:* Raul Dias <r...@dias.com.br> *Sent:* Tuesday, February 7, 2017 3:34 PM *To:* Alberto Colosi; bind-users@lists.isc.org *Subject:* Re: bind 9 goes rogue and revert zone infor

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Raul Dias
Hi Mukund, On 07/02/2017 12:42, Mukund Sivaraman wrote: Hi Raul When you say "When it reverts its zone information", how are you observing it? Are you reading the master file from disk to check what's in it, or are you doing a dig for the SOA record to check the serial? By this, I'm asking if

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Mukund Sivaraman
Hi Raul On Tue, Feb 07, 2017 at 12:03:40PM -0200, Raul Dias wrote: > Hello, > > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os a > master zone. > This happens during the night, usually around 20h EST.

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Warren Kumari
On Tue, Feb 7, 2017 at 9:34 AM, Raul Dias wrote: > Sorry, > Static files. > It is the master server. > No dynamic updates. > Host under lxc with only bind ports open. > ​If it is the master, and there are no automatic updates, I strongly suspect: 1: ​there is a cron job (or

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alberto Colosi
or disable it From: Raul Dias <r...@dias.com.br> Sent: Tuesday, February 7, 2017 3:34 PM To: Alberto Colosi; bind-users@lists.isc.org Subject: Re: bind 9 goes rogue and revert zone information Sorry, Static files. It is the master server. No dynamic updates

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Raul Dias
Sorry, Static files. It is the master server. No dynamic updates. Host under lxc with only bind ports open. On Tue, Feb 7, 2017, 12:27 Alberto Colosi wrote: > hi is unclear named structure if is a slave a master if dynamic updates > are enabled and if the unix box has been

Re: bind 9 goes rogue and revert zone information

2017-02-07 Thread Alberto Colosi
hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? From: bind-users on behalf of Raul Dias Sent: