Re: DNS update queries: another sort of suspicious activity.

[Bill_Royds () PCH GC CA (Bill Royds)]

You are probably going to find a lot more of these entries. By default,  Windows
2000 tries to send a DNS update to its known DNS server whenever it starts up
with a new IP from DHCP or finds its name to IP lookup entry not in the local
DNS zone.
This is MS implementation of dynamic DNS. There is some more details on SANS
GIAC pages http://www.sans.org/giac.html
(Jan 26 ).

Fyodor <fygrave () TIGERTEAM NET> on 28/01/2000 08:12:38 AM

Please respond to Fyodor <fygrave () TIGERTEAM NET>

 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)

 Subject: DNS update queries: another sort of suspicious
          activity.

Greetings,
 Today noticed quite interesting logs from my named:

Jan 28 05:56:54 ns named[14783]: unapproved update from [192.168.0.4].126 for
myzone.com
Jan 28 05:57:09 ns last message repeated 2 times
...

Looks like someone tried to spoof DNS update queries to `update' zonefiles
of my nameserver. I will try to dissect DNS update query tonight to see if I
could write decent snort rules to detect this sort of attack.

-F

<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: att1.eml
</UL>