Security Incidents mailing list archives
Re: ?
From: rquinn () SEC SPRINT NET (Rob Quinn)
Date: Fri, 4 Feb 2000 08:26:45 -0500
What could cause this in my logs: Feb 3 00:38:47 main named[25851]: ns_forw: query(ITPROTECT.DE) Bogus LOOPBACK A RR (ns.datakontor.de:127.0.0.1)
Your machine was trying to find the NS server for itprotect.de, and one of the answers was `ns.datakontor.de', but the address for that host came back as 127.0.0.1. The problem seems to go away as you dig closer to the destination. I suspect someone changed their NS records in their domain but didn't tell their parent domain to change their delegations. As long as there are other NS records that are okay, you shouldn't have a problem. And in this case, since there are, I wouldn't assume it was a malicious attempt to subvert/disable a site. I emailed the contact addresses in the SOA records I found. -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn () sec sprint net | | Sprint Corporate Security |