Security Incidents mailing list archives

Re: DNS update queries: another sort of suspicious activity.

From: rquinn () SEC SPRINT NET (Rob Quinn)
Date: Mon, 31 Jan 2000 12:06:11 -0500

Jan 28 05:56:54 ns named[14783]: unapproved update from [192.168.0.4].126 for  myzone.com
Jan 28 05:57:09 ns last message repeated 2 times


 Windows2000 does this.

Looks like someone tried to spoof DNS update queries to `update' zonefiles of
my nameserver.


 If one of your internal users goes home and dials up, he'll start sending
these to your external DNS server.

--
| Opinions are _mine_, facts                                     Rob Quinn |
| are facts.                                                 (703)689-6582 |
|                                                    rquinn () sec sprint net |
|                                                Sprint Corporate Security |

Current thread:

Re: Korea (was RE: ?), (continued)
- - - Re: Korea (was RE: ?) David Brumley (Jan 27)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
    - Re: Korea (was RE: ?) Dug Song (Jan 28)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Recent Scans Edwin Covert (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
    - Re: Socks port 1080 Randy Mclean (Jan 21)
    - Re: Socks port 1080 Richard Bejtlich (Jan 21)
    - Unusual Netstat Listing Rob (Jan 22)