Security Incidents mailing list archives
Re: DNS Messages
From: Bill Reamy <bill () STAFFNET COM>
Date: Thu, 30 Nov 2000 10:24:31 -0500
Steven, I've noticed similar errors many times and have experimented with packet sniffing the offending traffic. MS's DNS server has some serious problems with logging errors. In many cases the following will occur: 1) bad dns request comes from x.x.x.x 2) local dns server passes bad request along to root name server (or other authoritative dns server) y.y.y.y 3) y.y.y.y responds, question section still contains a copy of the bad dns request. 4) local ms dns finally checks validity of request, logs error as having come from y.y.y.y, _not_ x.x.x.x When this happens packet sniffing is the only way I've found to identify the actual offender. On 29 Nov 00, at 11:40, Steven Bonici wrote: Date sent: Wed, 29 Nov 2000 11:40:32 -0500 Send reply to: Steven Bonici <sbonici () GROUPEA COM> From: Steven Bonici <sbonici () GROUPEA COM> Subject: DNS Messages To: INCIDENTS () SECURITYFOCUS COM
We started to get some DNS warning messages on our NT PDC from an IP address that we have no idea of who it is. I would like to know if I should be... ...snip... Windows Event Log Messages: Source/Event ID: DNS/5504 Message: DNS Server encountered invalid domain name packet from 216.190.200.2. Packet rejected Source/Event ID: DNS/5504 Message: DNS Server encountered invalid domain name packet from 216.190.200.2. Packet rejected Source/Event ID: DNS/5506 Message: DNS Server encountered invalid domain name offset in packet. Packet rejected
... snip ... Bill Reamy bill () staffnet com
Current thread:
- Re: DNS Messages Bill Reamy (Dec 01)
- <Possible follow-ups>
- Re: DNS Messages Andy Murren (Dec 01)
- Re: DNS Messages Green, Art (MED) (Dec 01)