[time] DNS fun...

Sun, 22 Jun 2008 23:52:37 -0700 

Hi all,

I'm starting to experience how much buggy or misconfigured DNS software 
apparently is deployed...

Ask: when was my server last configured as pool.ntp.org nameserver?  Months 
ago, right?  I'm currently watching DNS server logs every now and then and 
find
 * lots of queries for ntp.org stuff; some few IPs are sent tens of 
thousands of requests (all denied) over the last week.
 * quite a few people apparently having my server configured as one of their 
DNS servers as I see random DNS queries that might be results from web 
browsing and other Internet use.  Some of them very bursty, so I'm assuming 
that'd be the script kiddies.

And then there's this gem:
+++
Jun 21 03:18:35 zbasel named[7530]: client 121.97.143.22#7851: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:40 zbasel named[7530]: client 121.97.143.22#30824: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:41 zbasel named[7530]: client 121.97.143.22#60397: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:46 zbasel named[7530]: client 121.97.143.22#43901: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:52 zbasel named[7530]: client 121.97.143.22#14348: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:57 zbasel named[7530]: client 121.97.143.22#63777: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:18:57 zbasel named[7530]: client 121.97.143.22#44737: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:19:03 zbasel named[7530]: client 121.97.143.22#24097: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:19:08 zbasel named[7530]: client 121.97.143.22#60445: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:19:13 zbasel named[7530]: client 121.97.143.22#40607: query (cache) 
'time.nist.gov/A/IN' denied
Jun 21 03:19:14 zbasel named[7530]: client 121.97.143.22#26975: query (cache) 
'time.nist.gov/A/IN' denied
+++

10000 requests over ca. 3 days, all for time.nist.gov, and no other log 
entry covering this IP at all.  Anybody likes to guess what happened here?  
ntp-serving appliance being deployed, having DNS instead of NTP server set 
to my box?  Even then, I'd expect additional queries like for 
update.vendor.com or similar.

cheers
-- vbi

-- 
Available for key signing in Zürich and Basel, Switzerland
                    (what's this? Look at http://fortytwo.ch/gpg/intro)

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Reply via email to