Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

named exploit ?

0 views
Skip to first unread message

Holger Burde

unread,
Mar 28, 2000, 3:00:00 AM3/28/00
to
hi;

i found this message in my logfiles : named[207]: unapproved update from
[a.b.c.d].1300 for BLA.BLUB.DE

I think some script kiddie tried to hack named. Dumping the records
shows no change. Any idea what happend and what should be done ? The
system is solaris 2.7 with some patches but none for the name server.

--
Dipl. Inform. H. Burde
UNIX SysAdmin : BCI GmbH ; hbu...@bci-bremen.de ; http://www.bci-bremen.de
Private: hbu...@t-online.de ; http://home.t-online.de/home/hburde


Barry Margolin

unread,
Mar 28, 2000, 3:00:00 AM3/28/00
to
In article <38E07249...@bci-bremen.de>,

Holger Burde <hbu...@bci-bremen.de> wrote:
>hi;
>
>i found this message in my logfiles : named[207]: unapproved update from
>[a.b.c.d].1300 for BLA.BLUB.DE
>
>I think some script kiddie tried to hack named. Dumping the records
>shows no change. Any idea what happend and what should be done ? The

Of course there was no change. Like the message says, the update wasn't
authorized, so nothing was done.

>system is solaris 2.7 with some patches but none for the name server.

Recent versions of Windows automatically send DNS updates when addresses
are assigned dynamically by DHCP. And MacOS 9 also sends updates when you
enable file sharing, I believe.

--
Barry Margolin, bar...@bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Holger Burde

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
Barry Margolin wrote:

hi;

The address is from outside - some sort of dial-in account from a provider. It
came 3 times and every time it was the same provider. I don't belive this was
accidential ! I think i put in ipfilter and block 53/tcp or is there a way to
secure bind ?

Tony Earnshaw

unread,
Mar 29, 2000, 3:00:00 AM3/29/00
to
Holger Burde wrote:

> came 3 times and every time it was the same provider. I don't belive this was
> accidential ! I think i put in ipfilter and block 53/tcp or is there a way to
> secure bind ?

You don't say what version of BIND. We run 8.2.x and in its named.conf
you can allow/disallow/constrain just about anything, including queries
and updates.

E.g., we allow zone transfers only to our secondary nameservers and
disallow queries to our private Class C networks from anyone not on
them.

Blocking port 53 will give you problems if you allow AXFERs to fallback
servers and is unnecessary.

Tony

--

Tony Earnshaw
Randstad 2157
1314 BH Almere, NL

e-mail: to...@ilion.nl

Holger Burde

unread,
Mar 30, 2000, 3:00:00 AM3/30/00
to
Tony Earnshaw wrote:

> Holger Burde wrote:
>
> ....


> > secure bind ?
>
> You don't say what version of BIND. We run 8.2.x and in its named.conf
> you can allow/disallow/constrain just about anything, including queries
> and updates.
>
> E.g., we allow zone transfers only to our secondary nameservers and
> disallow queries to our private Class C networks from anyone not on
> them.
>
> Blocking port 53 will give you problems if you allow AXFERs to fallback
> servers and is unnecessary.
>
> Tony
>

hi;

Its bind 8 - i am not so familiar with the new options/syntax etc. but now its
time to attack this problem - opps.

Michael Erskine

unread,
Apr 3, 2000, 3:00:00 AM4/3/00
to

Holger Burde wrote:
>
> Barry Margolin wrote:
>
> > In article <38E07249...@bci-bremen.de>,
> > Holger Burde <hbu...@bci-bremen.de> wrote:
> > >hi;
> > >
> > >i found this message in my logfiles : named[207]: unapproved update from
> > >[a.b.c.d].1300 for BLA.BLUB.DE
> > >
> > >I think some script kiddie tried to hack named. Dumping the records
> > >shows no change. Any idea what happend and what should be done ? The
> >
> > Of course there was no change. Like the message says, the update wasn't
> > authorized, so nothing was done.
> >
> > >system is solaris 2.7 with some patches but none for the name server.
> >
> > Recent versions of Windows automatically send DNS updates when addresses
> > are assigned dynamically by DHCP. And MacOS 9 also sends updates when you
> > enable file sharing, I believe.
> >
> > --
> > Barry Margolin, bar...@bbnplanet.com
> > GTE Internetworking, Powered by BBN, Burlington, MA
> > *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> > Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
>
> hi;
>
> The address is from outside - some sort of dial-in account from a provider. It

> came 3 times and every time it was the same provider.

Yes someone is trying to spoof your nameserver but the messages indicate
that your nameserver is not being spoofed.

> I don't belive this was
> accidential !

No it was not accidental.

I think i put in ipfilter and block 53/tcp or is there a way to
> secure bind ?

Your nameserver is doing fine and does not need securing. You need to
KNOW not THINK about what you have in your ipfilters. YOUR SYSTEM IS
PROTECTING ITSELF LEAVE IT ALONE.

0 new messages