North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: is your host or dhcp server sending dns dynamic updates forrfc1918?

  • From: Greg Maxwell
  • Date: Fri Apr 19 09:05:46 2002

On Thu, 18 Apr 2002, Paul Vixie wrote:

> what these files are is a whole lot of lines that look like (broken by me):
> 18-Apr-2002 16:16:05.491 security: notice: \
> 	denied update from [].2323 for "" IN
> by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
> so who are these people and why are they sending dynamic updates for rfc1918
> address space PTR's?  second answer first: it's probably Windows' fault.
> after a successful DHCP transaction, the corresponding A RR and PTR RR have
> to be updated.  if rfc1918 is in use, dns transactions about these PTR's
> ought to be caught and directed toward some local server, who can do something
> useful with them.  this local capture often does not occur, and so these
> dns transactions end up coming to us.

Does anyone already have a SNORT signature to match on these updates to
aid in tracking down which hosts behind a NAT are guilty for generating
this garbage?