[46959] in North American Network Operators' Group
Re: is your host or dhcp server sending dns dynamic updates for
daemon@ATHENA.MIT.EDU (Greg Maxwell)
Fri Apr 19 09:04:21 2002
Date: Fri, 19 Apr 2002 09:03:51 -0400 (EDT)
From: Greg Maxwell <gmaxwell@martin.fl.us>
To: <nanog@merit.edu>
In-Reply-To: <20020418235759.87A1928B6E@as.vix.com>
Message-ID: <Pine.GSO.4.33.0204190902050.9888-100000@da1server.martin.fl.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 18 Apr 2002, Paul Vixie wrote:
[snip]
> what these files are is a whole lot of lines that look like (broken by me):
>
> 18-Apr-2002 16:16:05.491 security: notice: \
> denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
>
> by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
>
> so who are these people and why are they sending dynamic updates for rfc1918
> address space PTR's? second answer first: it's probably Windows' fault.
> after a successful DHCP transaction, the corresponding A RR and PTR RR have
> to be updated. if rfc1918 is in use, dns transactions about these PTR's
> ought to be caught and directed toward some local server, who can do something
> useful with them. this local capture often does not occur, and so these
> dns transactions end up coming to us.
[snip]
Does anyone already have a SNORT signature to match on these updates to
aid in tracking down which hosts behind a NAT are guilty for generating
this garbage?
