repeated attempts of unapproved updates

[Wendell Craig Baker <wbaker () SPLOOSH BAKER COM>]

Does anyone have any thoughts on a pattern of unapproved updates to DNS?

I'm constantly getting a stream of between five and fifty unapproved updates
to my DNS servers.  Does anyone know anything about this?    I had a
responsible individual at Veritas once tell me that this was a mis-configured
Windows 2000 network (dhcp).  He didn't elaborate but it stopped (from their
sites).

Jan 30 01:51:11 sploosh named[552]: unapproved update from
[172.138.204.192].1339 for baker.com
Jan 30 01:56:46 sploosh named[552]: unapproved update from
[172.138.204.192].1350 for baker.com
Jan 30 02:07:21 sploosh named[552]: unapproved update from
[172.138.204.192].1361 for baker.com
Jan 30 02:55:24 sploosh named[552]: unapproved update from
[172.160.248.100].1383 for baker.com
Jan 30 03:00:30 sploosh named[552]: unapproved update from
[172.160.248.100].1395 for baker.com

They've gotten more voluminous recently:

$ grep -c 'unapproved update' /var/log/messages*
/var/log/messages:847    (this logfile is 3 days old)
/var/log/messages.1:3774 (spans 1 week -- 21-28 Jan 2001)
/var/log/messages.2:884  (spans 1 week -- 14-21 Jan 2001)

Some simple filtering gets a smallish set of addresses over the course of the
past 30 days.  The 172.*.*.* addresses seems to be AOL.COM sphere of influence.

$ perl -n -e 'our %addr; next unless /unapproved update/;
m/.*\[(\d+(\.\d+){3})\]\.\d+.*/; $addr{$1} = 1; END { my @saddr = sort keys
%addr; print $_, "\n" for (@saddr); my $n = @saddr; print "There were $n
addresses.\n"; }' /var/log/messages.*

172.129.1.251
172.129.28.173
172.131.185.88
172.141.23.60
172.143.214.61
172.153.35.74
172.153.49.61
172.154.174.144
172.160.252.14
172.164.116.99
172.164.210.216
172.168.205.251
172.174.159.178
172.174.171.231
172.174.223.178
24.162.117.95
24.167.108.191
24.27.21.61
66.27.93.98
90.0.0.2
There were 20 addresses.

Thanks for any thoughts.

--
Wendell Craig Baker
415 699 9567
wbaker () baker com