Re: Oddities in my named.log. Can you explain?

2008-12-06 Thread Keve Nagy 

Michael Milligan wrote:

[Note: this is really off-topic for bind-users...]


How a Microsoft Active Directory controller works and what it does is 
indeed off-topic in this news group. Your nudging is noted.
In my defense however, I could't have known this without the answer, 
having only a "strongly BIND related" question. :-)


Now that I learnt that this is related to a Win2000 and Win2003 
behaviour I agree, its further discussion doesn't belong here.

I am moving the topic to a more appropriate news group.


The first default site name was renamed to
Alapertelmezett-elso-hely-neve, this should give you a clue for tracking
this down.


Not really.
"Alapertelmezett-elso-hely-neve" translates directly to 
"Default-first-place-name". So I believe the remote host is just using a 
localized language version of a windows server. :-)


Thanks for the pointers!
Your help is very much appreciated.

Regards,
Keve

--
if you need to reply directly:
keve(at)mail(dot)poliod(dot)hu
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Oddities in my named.log. Can you explain?

2008-12-06 Thread Keve Nagy 

Michael Milligan wrote:

[Note: this is really off-topic for bind-users...]


How a Microsoft Active Directory controller works and what it does is
indeed off-topic in this news group. Your nudging is noted.
In my defense however, I could't have known this without the answer,
having only a "strongly BIND related" question. :-)

Now that I learnt that this is related to a Win2000 and Win2003
behaviour I agree, its further discussion doesn't belong here.
I am moving the topic to a more appropriate news group.


The first default site name was renamed to
Alapertelmezett-elso-hely-neve, this should give you a clue for tracking
this down.


Not really.
"Alapertelmezett-elso-hely-neve" translates directly to
"Default-first-place-name". So I believe the remote host is just using a
localized language version of a windows server. :-)

Thanks for the pointers!
Your help is very much appreciated.

Regards,
Keve

--
if you need to reply directly:
keve(at)mail(dot)poliod(dot)hu

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Oddities in my named.log. Can you explain?

2008-12-05 Thread Keve Nagy 

Hi Everyone,
I see some oddities frequently showing up in our BIND logfiles.
This is on the official primary NS for our domain.

*Oddity_type#1*
... view external-in: query: server.EXAMPLE.COM IN SOA -E

Please note that the only thing I changed here is the domain name. I did 
not capitalize it, the original domain name also got logged this way. 
And yes, the original hostname queried was "server", I did not change 
that either. These are repeatedly coming from the same source IP 
address, once in every 10-70 minutes.
We have never had a host named "server". So why would an external 
machine keep asking for a hostname we never had? Especially with such an 
obvious name! Also, why is the domain part capitalized for these 
queries, and not in any proper/legitimate query? I assume this is what 
the query was for. The original request must have been for 
server.EXAMPLE.COM, having the domain part this way capitalized in the 
query itself.
So why would a remote system look for a never existed host named 
"server" in our system, with the domain name capitalized?

Any legitimate reason you could think of?



*Oddity_type#2*

... view external-in: query: server.EXAMPLE.COM IN SOA +
... view external-in: updating zone 'example.com/IN': update unsucces
sful: server.EXAMPLE.COM/A: 'RRset exists (value dependent)' 
prerequisite not satisfied (NXRRSET)


Again note, that I only changed the name of the domain and I did not 
alter the capitalization or the hostname. These are from another source 
IP address, but always the same one. For some reason, also looking for 
the host named "server". And a few minutes later, it seems to try to 
update the domain database.
By the way, no host is allowed to update our DNS records. The zone files 
are updated by hand only. And this has always been the case, no exceptions.




*Oddity_type#3*

... view external-in: query: gc._msdcs.EXAMPLE.COM IN SOA -E
... view external-in: query: _ldap._tcp.gc._msdcs.EXAMPLE.COM IN SOA
-E
... view external-in: query: _ldap._tcp.dc._msdcs.EXAMPLE.COM IN SOA
-E
... view external-in: query: _kpasswd._tcp.EXAMPLE.COM IN SOA -E
... view external-in: query: _kpasswd._udp.EXAMPLE.COM IN SOA -E
... view external-in: query: _ldap._tcp.Alapertelmezett-elso-hely-neve.
_sites.dc._msdcs.EXAMPLE.COM IN SOA -E
... view external-in: query: _ldap._tcp.d819d059-6674-4c56-899c-e6a7aee
fb77f.domains._msdcs.EXAMPLE.COM IN SOA -E
... view external-in: query: d476b9e8-6916-483e-ac68-2329bfac49b1._msdc
s.EXAMPLE.COM IN SOA -E
... view external-in: query: _kerberos._tcp.EXAMPLE.COM IN SOA -E
... view external-in: query: _gc._tcp.EXAMPLE.COM IN SOA -E

Look at these add hostnames which are queried for!
These are all systematically returning queries. And these come from 
multiple source IP addresses.
Are these queries legitimate? I mean, do you know of any system that may 
be doing this? Are these strange hostname queries part of some standard 
way identifying services and I just don't happen to know about this 
standard?


I would very much appreciate some feedback on these.
Best regards,
Keve Nagy * Debrecen * Hungary

--
if you need to reply directly:
keve(at)mail(dot)poliod(dot)hu
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users