[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] named "denied update" error

Subject: Re: [cobalt-security] named "denied update" error
From: Dan Keller <dan@xxxxxxxxxx>
Date: Fri, 04 May 2001 15:40:08 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Peter --

Thanks so much for your help.

How were you able to deduce the information you
provide below?

This situation is rather mysterious.
I don't have any DNS relationship (nor anything else)
with 157.238.135.154 -- I'd never seen this IP address
before these messages started appearing in my log.
I have no idea whose machine this is nor why it's
attempting a zone transfer.

The last time my DNS server was modified was months
ago;  nothing has changed recently at keller.com.
My nameserver is ns.keller.com not ns2.
I wonder how you were able to obtain that name.

The messages about 157.238.135.154 are appearing in
my log at two or three minute intervals.

I haven't seen this happen before.
Could it be some sort of attack?

Thanks again,
Dan Keller
dan@xxxxxxxxxx
http://www.keller.com/

At 07:44 PM 5/4/01 +0200, you wrote:
>Did you change your dns servers of keller.com?
>It looks like a nameserver thats configured as a master nameserver for keller.com, and is telling your server that there were changes made in the zone file.
>So if it was configured right, your ns would transfer the domain from 157.238.135.154.
>Looks like 157.238.135.154 has your zone in his dns, and looks like your box is configured as ns2 in that zone file.
>
>At 09:24 4-5-2001 -0700, you wrote:
>>Hello Cobalt Security Gurus --
>>
>>I'm getting this error message in my log
>>several hundred times a day:
>>
>>May 3 19:31:17 www named[671]: denied update from [157.238.135.154].9594 for "KELLER.COM"
>>
>>Of course the timestamp changes, and so does the PID
>>(I assume that 9594 is a PID) but the rest of the message
>>is the same...  dozens every hour.
>>
>>KELLER.COM is my domain and I run the primary
>>name server for it.
>>
>>I'm guessing that an attempt to do a DNS zone transfer
>>is failing... but that's just a guess.
>>
>>I can't find who owns 157.238.135.154 -- nslookup and dig
>>yield nothing.
>>
>>Is it my named that's trying to reach 157.238.135.154 or is
>>it 157.238.135.154's named that's trying to reach mine?
>>
>>Can anyone help me decipher this message?
>>
>>And once I know what the problem is, what do I do about it?
>>
>>Thank you in advance!
>>
>>Dan Keller
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] named "denied update" error
  - From: cpaul

References:
- [cobalt-security] named "denied update" error
  - From: Dan Keller
- Re: [cobalt-security] named "denied update" error
  - From: Peter Batenburg

Prev by Date: [cobalt-security] RaQ3-All-Kernel-4.0.1-2.216C24III.pkg
Next by Date: Re: [cobalt-security] hacked again!
Previous by thread: Re: [cobalt-security] named "denied update" error
Next by thread: Re: [cobalt-security] named "denied update" error

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index