Same here, every +/- 4 minutes they poll for our VERSION.BIND. I resolved
one of the ipnumbers to something.windowsupdate.com and I contacted the
technical contacts.
I appended their answer in my email.
I think I break their system because our nameservers won't accept queries
for domains we are not hosting. So their system won't get a result (except
for a 'query refused' or something) and will try again the next time when
someone from our iprange visits their site. Just my thoughts, I have no clue
if it's correct ;)
-----Original Message-----
From: Information Security [mailto:netsec_at_microsoft.com]
Sent: dinsdag 30 mei 2000 22:49
To: 'eilander_at_cobweb.nl'
Subject: RE: unwanted connections
The traffic that you are seeing is actually an automatic feature of the new
load balancing dns that we are using (the product is 3dns, www.3dns.com).
Basically, as your users hit our sites that use this system, the 3dns system
needs to find out which data center that they are closest to, to try and
improve performance. The system does this by sending a packet to port 53 at
your domain. The system times the round trip, and uses that metric to
calculate the closest servers. It looks like an aborted zone transfer
normally, or a dns look-up that went wrong. The system apparently caches the
information, and will periodically check (every couple of weeks) to make
sure that it is still accurate.
Decent idea in theory but there are some glitches in the implementation. The
teams using the software here are working with the vender to get the
problems ironed out. Meanwhile, they've implemented an exclusion list for
places where these runaway connections occure. If you can send us the IP
address range you are seeing this on in CIDR format, the team will add you
to the exclusion list.
Received on Jun 01 2000
Intro
