On Thu, 18 Apr 2002, Paul Vixie wrote:
[snip] > what these files are is a whole lot of lines that look like (broken by me): > > 18-Apr-2002 16:16:05.491 security: notice: \ > denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN > > by "a whole lot" i mean we've logged 3.3M of these in the last four hours. > > so who are these people and why are they sending dynamic updates for rfc1918 > address space PTR's? second answer first: it's probably Windows' fault. > after a successful DHCP transaction, the corresponding A RR and PTR RR have > to be updated. if rfc1918 is in use, dns transactions about these PTR's > ought to be caught and directed toward some local server, who can do something > useful with them. this local capture often does not occur, and so these > dns transactions end up coming to us. [snip] Does anyone already have a SNORT signature to match on these updates to aid in tracking down which hosts behind a NAT are guilty for generating this garbage?
