Re: Connections to dns server? (fwd)

[admin () SCORPIONS NET (Alex Blinetskiy)]

Here's the answer i got from microsoft about connections to dns server.
in case some of you experience the same thing the answer below should
explain this.
Thanks,
Alex Blinetskiy

---------- Forwarded message ----------
Date: Fri, 7 Apr 2000 09:53:29 -0700
From: Abuse at Microsoft <abuse () microsoft com>
To: 'Alex Blinetskiy' <admin () scorpions net>
Subject: RE: Connections to dns server?

The traffic that you are seeing is actually an automatic feature of the new
load balancing dns that we are using (the product is 3dns, www.3dns.com).
Basically, as your users hit our sites that use this system, the 3dns system
needs to find out which data center that they are closest to, to try and
improve performance. The system does this by sending a packet to port 53 at
your domain. The system times the round trip, and uses that metric to
calculate the closest servers. It looks like an aborted zone transfer
normally, or a dns look-up that went wrong. The system apparently caches the
information, and will periodically check (every couple of weeks) to make
sure that it is still accurate.

Decent idea in theory but there are some glitches in the implementation. The
teams using the software here are working with the vender to get the
problems ironed out. Meanwhile, they've implemented an exclusion list for
places where these runaway connections occure. If you can send us the IP
address range you are seeing this on in CIDR format, the team will add you
to the exclusion list.

Mike Lyman
Microsoft Information Security - CERT
PGP KEY 0xD7BBADAD

-----Original Message-----
From: Alex Blinetskiy [mailto:admin () scorpions net]
Sent: Friday, April 07, 2000 8:42 AM
To: dns () microsoft com
Cc: Abuse at Microsoft
Subject: Connections to dns server?

Some weird incoming connections from microsoft it keeps on connecting for
2 days ....

Apr  6 12:57:44 doit tcplogd: "Syn
probe"
208.184.4.138.microsoft.com[208.184.4.138]:[2300]->ns.scorpions.net[209.123.
217.66]:domain
Apr  6 12:57:44 doit tcplogd: "Syn
probe"
208.184.4.138.microsoft.com[208.184.4.138]:[2301]->ns.scorpions.net[209.123.
217.66]:domain
Apr  6 12:57:44 doit tcplogd: "Syn
probe"
208.184.4.138.microsoft.com[208.184.4.138]:[2302]->ns.scorpions.net[209.123.
217.66]:domain

another ip also from them:
Apr  6 12:57:32 doit tcplogd: "Syn
probe"
207.46.106.75[207.46.106.75]:[2200]->ns.scorpions.net[209.123.217.66]:domain
Apr  6 12:57:32 doit tcplogd: "Syn
probe"
207.46.106.75[207.46.106.75]:[2201]->ns.scorpions.net[209.123.217.66]:domain
Apr  6 12:57:32 doit tcplogd: "Syn
probe"
207.46.106.75[207.46.106.75]:[2202]->ns.scorpions.net[209.123.217.66]:domain

Can you look into it?

Thank you,
Alex Blinetskiy