Security Incidents mailing list archives

Re: ?

From: rquinn () SEC SPRINT NET (Rob Quinn)
Date: Fri, 4 Feb 2000 08:26:45 -0500

What could cause this in my logs:
Feb  3 00:38:47 main named[25851]: ns_forw: query(ITPROTECT.DE) Bogus
LOOPBACK A RR (ns.datakontor.de:127.0.0.1)


 Your machine was trying to find the NS server for itprotect.de, and one of the
answers was `ns.datakontor.de', but the address for that host came back as
127.0.0.1. The problem seems to go away as you dig closer to the destination. I
suspect someone changed their NS records in their domain but didn't tell their
parent domain to change their delegations. As long as there are other NS
records that are okay, you shouldn't have a problem. And in this case, since
there are, I wouldn't assume it was a malicious attempt to subvert/disable a
site.
 I emailed the contact addresses in the SOA records I found.

--
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                    rquinn () sec sprint net |
|                                                Sprint Corporate Security |

Current thread:

? C. (Feb 03)
- Re: ? Rob Quinn (Feb 04)
- <Possible follow-ups>
- Re: ? Drissel, James W. (Feb 03)
- Re: ? Jon Burdge (Feb 07)