North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: is your host or dhcp server sending dns dynamic updates forrfc1918?
On Thu, 18 Apr 2002, Paul Vixie wrote: [snip] > what these files are is a whole lot of lines that look like (broken by me): > > 18-Apr-2002 16:16:05.491 security: notice: \ > denied update from [220.127.116.11].2323 for "168.192.in-addr.arpa" IN > > by "a whole lot" i mean we've logged 3.3M of these in the last four hours. > > so who are these people and why are they sending dynamic updates for rfc1918 > address space PTR's? second answer first: it's probably Windows' fault. > after a successful DHCP transaction, the corresponding A RR and PTR RR have > to be updated. if rfc1918 is in use, dns transactions about these PTR's > ought to be caught and directed toward some local server, who can do something > useful with them. this local capture often does not occur, and so these > dns transactions end up coming to us. [snip] Does anyone already have a SNORT signature to match on these updates to aid in tracking down which hosts behind a NAT are guilty for generating this garbage?