Hack attempts to DNS?

[jols]

I am starting to see a lot of the following in the /var/log/messages

Jul 16 11:25:51 skyline named[7739]: client 76.127.10.225#56637: update 'customerdomain.com/IN' denied
Jul 16 12:10:27 skyline named[7739]: client 76.127.10.225#1100: updating zone 'customerdomain.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)

So, upon thinking this was a hack attempt to the DNS system, (i.e. some hacker attempting to transfer zones off of the server, thereby ripping off traffic), I put up a croned script to look for this and block the IP involved with the "hack attempt". But lately I have been made aware that some of IPs that are blocked, belong to the owner of the domain and the hosting account.

Can someone tell me what the heck may be going on with this?

Thanks very much.

[ramprage]

Have you configured bind to not allow zone-transfers and updates from non local IPs?

[mtindor]

I am starting to see a lot of the following in the /var/log/messages

Jul 16 11:25:51 skyline named[7739]: client 76.127.10.225#56637: update 'customerdomain.com/IN' denied
Jul 16 12:10:27 skyline named[7739]: client 76.127.10.225#1100: updating zone 'customerdomain.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)

In your example there, 76.127.10.225 is likely a Windows server, and/or a Windows client that is configured with the option to attempt to update nameservers with its current hostname. And when it tries, bind is denying the request (which is what it should do).

Those pesky windows servers are a pain in the neck. I see those all the time on our nameservers. usually Windows SBS / ISA servers trying to update a record in DNS when they don't have rights to do so.

Don't change a thing, don't block it. If that is an ISA / SBS server and is proxying an office full of machines for your client, then it's querying your DNS (which you wont normally see in your logs because you would have to set a higher loglevel to see that). And if it cant query your DNS, the client can't get to the website / email.

Mike

[jols]

Have you configured bind to not allow zone-transfers and updates from non local IPs?

Yes. No problem there. I am just wondering where these hack attempts are coming from, and why they would be coming from the customer's IP who owns the domain?

Do you suppose they have a virus? A badly misconfigured program of some sort? etc?

[jols]

In your example there, 76.127.10.225 is likely a Windows server, and/or a Windows client that is configured with the option to attempt to update nameservers with its current hostname. And when it tries, bind is denying the request (which is what it should do).

Those pesky windows servers are a pain in the neck. I see those all the time on our nameservers. usually Windows SBS / ISA servers trying to update a record in DNS when they don't have rights to do so.

Don't change a thing, don't block it. If that is an ISA / SBS server and is proxying an office full of machines for your client, then it's querying your DNS (which you wont normally see in your logs because you would have to set a higher loglevel to see that). And if it cant query your DNS, the client can't get to the website / email.

Mike

Okay, makes sence. Thanks Mike.

We started blocking when one server was pounded so hard recently, that named started timing out/shutting down.

[mtindor]

Okay, makes sence. Thanks Mike.

We started blocking when one server was pounded so hard recently, that named started timing out/shutting down.

If this happens, it is typically because a specific client on your server is running a Windows SBS / ISA server and all of their internal office machines are proxying through it (but sometimes not). The SBS / ISA server acts as a local DNS server for the client's whole network. So blocking the IP address would cause their internal office machines not to be able to resolve their domain (whose DNS is active on your servers) since their DNS server can't communicate with yours.

You should be able to determine what client is using that IP because they are probably sending SMTP mail and/or receiving POP3/IMAP mail from that IP address. You could 'grep xxx.xxx.xxx.xxx /var/log/messages' and 'grep xxx.xxx.xxx.xxx /var/log/exim_mainlog' and try to determine what client of yours is using that IP address. Then you can contact them and tell them to fix their Windows server on their network so that it doesnt' generate that kind of activity toward your server.

Microsoft's whole way of doing DNS along with Active Directory is funky. The SBS / ISA server thinks it should be authoritative for the domain because the client probably has it configured as a domain controller for their domain.

Explain to your client that they need to fix it so that it doesn't generate that activity toward your DNS or else you'll need to block that IP address from accessing DNS - and then explain to them that if you have to do that, their office people won't be able to do anything unless they retain a carbon copy of teh DNS zone as it sits on your server, on their DNS server.

Mike