Security Incidents mailing list archives

Re: repeated zone transfer denied

From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 9 Oct 2001 00:37:06 -0700 (PDT)

On Mon, 8 Oct 2001, Ray wrote:

I have got the following message in syslog file every 20 minutes for many
consecutive days. It appear to come from the same IP.  Anybody have idea
what he intend to do ?


Oct  8 05:40:34 myserver /usr/sbin/named[2073]: client 128.177.209.26#53383:
zone transfer denied
<repeated 4 times>


Could be this (pain in the #^$$) courtesy of Microsoft's default
configuration of Win2K and failure for it to stop trying after, oh
say, the first 100 failures!)

This is part of the boilerplate I occasionally send out to dozens
of network contacts/admins...


   =====================================================================
    This is a generic message intended for the owners/administrators of
    Windows 2000 systems ...
                  ... attempting unauthorized DNS zone updates as
    a result of unsupported Windows 2000 Dynamic DNS configurations.

    ...
   =====================================================================

One or more of your systems ...    most likely Windows 2000 systems
with default Dynamic DNS configurations, are making repeated attempts
to update DNS mappings on the UW central DNS servers.  We do not
support this, so these show up in our reports as refused attempts.

We are sending this message to identify and assist those
people who have mis-configured Windows 2000 systems.

If you are ... you should have
already received instructions on how to turn off Dynamic DNS.
If not, the following references should assist you:

  How to Enable/Disable Windows 2000 Dynamic DNS Registrations
  http://support.microsoft.com/support/kb/articles/Q246/8/04.ASP

  How to Disable Windows 2000 Dynamic Domain Name System Registrations
  with Group Policy
  http://support.microsoft.com/support/kb/articles/Q294/8/32.ASP

If you have any questions about turning off Dynamic DNS updates,
please contact ... and request assistance.

 ...


This problem has lasted longer than Code Red, and is just as hard to
deal with in trying to get in touch with admins and get them to fix
it.

(Then again, could be someone who just downloaded a bind sploit. ;)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new pop3 exploit out? leon (Oct 05)
- Re: new pop3 exploit out? Valdis . Kletnieks (Oct 06)
  - RE: new pop3 exploit out? leon (Oct 06)
    - repeated zone transfer denied Ray (Oct 07)
    - Message not available
    - Re: repeated zone transfer denied Ray (Oct 07)
    - Re: repeated zone transfer denied Dave Dittrich (Oct 09)
    - Re: repeated zone transfer denied Dave Dittrich (Oct 09)
- RE: new pop3 exploit out? Alvaro Soto (Oct 07)
- <Possible follow-ups>
- RE: new pop3 exploit out? James Weiler (Oct 08)
- RE: new pop3 exploit out? Miller, Toby (Oct 09)