Security Incidents mailing list archives
Re: DNS update queries: another sort of suspicious activity.
From: Bill_Royds () PCH GC CA (Bill Royds)
Date: Fri, 28 Jan 2000 16:57:23 -0500
You are probably going to find a lot more of these entries. By default, Windows 2000 tries to send a DNS update to its known DNS server whenever it starts up with a new IP from DHCP or finds its name to IP lookup entry not in the local DNS zone. This is MS implementation of dynamic DNS. There is some more details on SANS GIAC pages http://www.sans.org/giac.html (Jan 26 ). Fyodor <fygrave () TIGERTEAM NET> on 28/01/2000 08:12:38 AM Please respond to Fyodor <fygrave () TIGERTEAM NET> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: DNS update queries: another sort of suspicious activity. Greetings, Today noticed quite interesting logs from my named: Jan 28 05:56:54 ns named[14783]: unapproved update from [192.168.0.4].126 for myzone.com Jan 28 05:57:09 ns last message repeated 2 times ... Looks like someone tried to spoof DNS update queries to `update' zonefiles of my nameserver. I will try to dissect DNS update query tonight to see if I could write decent snort rules to detect this sort of attack. -F <HR NOSHADE> <UL> <LI>application/octet-stream attachment: att1.eml </UL>
Current thread:
- Re: DNS update queries: another sort of suspicious activity. Bill Royds (Jan 28)