|
Security Incidents
mailing list archives
DNS zone transfer
From: Fernando Cardoso <fernando () BN PT>
Date: Fri, 1 Sep 2000 15:18:16 +0100
I guess you are used to see (as I am) lots of AXFRs from all places. Usually
they came along with bind.version queries since the named NXT bug scripts
are still hot 3lee7 stuff. They don't cause any problem except for a couple
lines in my logs and, sometimes, a message to the tech contact of a
compromised machine (hello .kr!!).
Yesterday, another AXFR try was made. This time from Canada:
ts1-193.mtrl.ca.ziplink.net
My IDS logged the try:
[**] IDS212/dns-zone-transfer [**]
08/31-17:19:10.789779 165.154.200.193:21368 -> my.name.server:53
TCP TTL:109 TOS:0x0 ID:44578 DF
*****PA* Seq: 0xB4A43A Ack: 0xE367A43 Win: 0x2000
00 17 86 39 01 00 00 01 00 00 00 00 00 00 02 62 ...9...........b
6E 02 70 74 00 00 0F 00 01 n.pt.....
Nothing new here... What is strange is that nothing was logged in the
nameserver!! I've tried zone transfers with dig, nslookup, host and even
with Sam Spade and all of them left a log entry in the nameserver (bind
8.2.2-P5).
Any thoughts? Just curious...
Fernando
_________________________________________________________
Fernando Cardoso Phone: +351 21 7982186
Network Administrator Fax: +351 21 7982185
National Library E-mail: fernando () bn pt
Portugal PGP ID: 28551CB8
 By Date 
By Thread
Current thread:
- DNS zone transfer Fernando Cardoso (Sep 01)
|
Intro
