updating zone update failed: 'RRset exists (value dependent)

[rhenderson]

I keep getting errors from the System integrity monitor as listed below: I have done a google search and search here and the general concensus seems to be that it is a Windows 2K macine. But this happens everynight just after 00:00 and it has originated from 10 or so different IP addresses. It also repeats itself many times. I add the IP's to the APF everyday but it reappears with different IP's the next day. The IP's are mostly asian and Puerto Rico. In the research they state Win 2K only tried this one time and then gives up, but these are presistent enough to cause SIM to restart the HTTP....

Code:

System integrity monitor on xxx.xxxx.xxx has taken action in responce to an event. 
Recent event logs are enclosed below for your inspection. There has been 8 events today, 
if an average of 8 events is reached, e-mail alerts will be terminated for the duration of 
the day.

- Events Summary:
Total event count:   8
Average event count: 1

- Service Summary:
HTTP      [restarted - 8 events]
DNS       [online - 0 events]
MYSQL     [online - 0 events]
SMTP      [online - 0 events]

- System Summary:
LOAD      [0.04 - status good - 0 events]
NETWORK   [eth0 - online - 0 events]

- SIM Log:
[10/11/05 00:30:01]: NETWORK is online.
[10/11/05 00:30:01]: HTTP service is online.
[10/11/05 00:30:01]: HTTP url request failed, assuming offline.
[10/11/05 00:30:01]: Restarted HTTP service (7 HTTP events today).
[10/11/05 00:30:01]: DNS service is online.
[10/11/05 00:30:01]: MYSQL service is online.
[10/11/05 00:30:01]: SMTP service is online.
[10/11/05 00:35:00]: LOAD 0.04 (status good)
[10/11/05 00:35:00]: NETWORK is online.
[10/11/05 00:35:00]: HTTP service is online.
[10/11/05 00:35:00]: HTTP url request failed, assuming offline.
[10/11/05 00:35:00]: Restarted HTTP service (8 HTTP events today).
[10/11/05 00:35:00]: DNS service is online.
[10/11/05 00:35:00]: MYSQL service is online.
[10/11/05 00:35:00]: SMTP service is online.

- System Log:
Oct 11 00:26:07 host named[2681]: client 203.86.45.18#2618: update 'xxxxx.xxx/IN'
denied Oct 11 00:26:08 host named[2681]: client
203.86.45.18#2526: updating zone 'xxxxx.xxx/IN': update failed: 'RRset exists (value 
dependent)' prerequisite not satisfied (NXRRSET) Oct 11 00:26:10 host named[2681]: client 
203.86.45.18#2529: update 'xxxxx.xxx/IN' denied Oct 11 00:27:11 host named[2681]: 
client 
203.86.45.18#1866: updating zone 'xxxxx.xxx/IN': update failed: 'RRset exists (value 
dependent)' prerequisite not satisfied (NXRRSET) Oct 11
00:27:12 host named[2681]: client 203.86.45.18#1869: update 'xxxxx.xxx/IN' denied Oct 
11 00:27:43 host named[2681]: client
203.86.45.18#3872: update 'xxxxx.xxx/IN' denied Oct 11 00:28:29 host
named[2681]: client 203.86.45.18#3884: update 'xxxxx.xxx/IN' denied Oct
11 00:29:38 host named[2681]: client 203.86.45.18#1433: updating zone
'xxxxx.xxx/IN': update failed: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET) Oct 11 00:29:38 host named[2681]:
client 203.86.45.18#1433: error sending response: host unreachable Oct 11
00:31:12 host pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1 Oct 11 00:31:12 host pure-ftpd: (?@127.0.0.1) [INFO] Logout.
Oct 11 00:31:28 host named[2681]: client 203.86.45.18#3892: update 'xxxxx.xxx/IN' 
denied Oct 11 00:32:09 host named[2681]: client
203.86.45.18#3898: update 'xxxxx.xxx/IN' denied Oct 11 00:33:43 host
named[2681]: client 203.86.45.18#1986: updating zone 'xxxxx.xxx/IN':
update failed: 'RRset exists (value dependent)' prerequisite not satisfied
(NXRRSET) Oct 11 00:33:45 host named[2681]: client 203.86.45.18#1989: 
update 'xxxxx.xxx/IN' denied

======================================================
SIM 2.5-3 <sim@r-fx.org>                                      10/11/05
00:35:00

WHOIS results for 203.86.45.18
Generated by www.DNSstuff.com
Location: China [City: Beijing, Guangdong]

Any ideals?

[kieranmullen]

So if ip not belonging to you is listed there and you are getting the emails from it perhaps it isnt your server?

[chirpy]

1. Don't add the IP's to APF it can quickly render your server unbootable.

2. Those are indeed usually caused by poorly configured W2K and in particular, XP PC's on a LAN

3. The best way to avoid the attempts is to prevent external named updates being accepted by configuring named.conf correctly:

http://forums.cpanel.net/showthread....=15#post217540

4. Then ignore them

[rhenderson]

1. Don't add the IP's to APF it can quickly render your server unbootable.

2. Those are indeed usually caused by poorly configured W2K and in particular, XP PC's on a LAN

3. The best way to avoid the attempts is to prevent external named updates being accepted by configuring named.conf correctly:

http://forums.cpanel.net/showthread....=15#post217540

4. Then ignore them

Thanks for the answers... I assume then by adding blocks of IP's like entire countries causes a large overhead for APF.

Regards,
Randy

[chirpy]

It most certainly can, yes. IMX it's best to only block IP addresses for a short period of time, while they're attacking your server.After a few days or a week, clear out the IP's. The problem is weighing up the issues that IP's trawling open ports has against clobbering every IP packet that comes into the server. Port scans are annoying, but once done they usually move on unless you have ports open that you shouldn't (e.g. telnet).

[rhenderson]

It most certainly can, yes. IMX it's best to only block IP addresses for a short period of time, while they're attacking your server.After a few days or a week, clear out the IP's. The problem is weighing up the issues that IP's trawling open ports has against clobbering every IP packet that comes into the server. Port scans are annoying, but once done they usually move on unless you have ports open that you shouldn't (e.g. telnet).

Still having some issues with this, I do understand it is a Windows DHCP zone update I have done what was suggested in http://forums.cpanel.net/showthread....=15#post217540 so it is blocking the updates:

Code:

Mar 24 14:15:22 host named[11569]: client 200.126.147.63#40708: update 'server.com/IN' denied

But the biggest problem is this causes a load/error, etc.. on the server I have this same message approximately 500+ times a day from the same ip above.

I have tried to block the IP with APF, I do not have very many blocks in there maybe 4 IP's because of the overhead it takes but it continues to give this message even with the blocks.
I have blocked it with the above IP, with the IP /24 and even the name of the server it tracert's back to, no relief

I get messages from SIM with a tail end of the log file when it restarts httpd and it always has the above code in it at the bottom of the log file, could be a coincendence because I get so many of thos entries in the message log each day. I have written the people responsible for the IP twice with zero repsonses.

There has to be away to BAN/BLOCK the above from the server, but I can't figure it out. I am now thinking the IP above must be somehow spoofed or something odd.

Any comments are appricated.

[kemis]

I, too, get this error. I just recently took over a client's DNS, Web, & E-mail hosting via my cPanel server. They, however, are using their own Win2K domain controller to host their domain locally.

When Windows computers dynamically update DNS while on their own internal network (every hour by default), this is okay. Any updates for their domain are intercepted by the domain controller and kept private. But when they take a laptop offsite, for example, then the computers still try to update their domain every hour. But since the domain controller isn't there to receive the update, guess what server gets the update attempt? Yup, my cPanel server.

I only have one computer trying to do this hourly, so I get 24 of these messages a day.

My problem is this, though: I can't figure out who has the laptop/computer that's still configured for their domain!! I've asked around, but noone seems to know. Based on the IP, I do know this PC is on our local cable internet provider's network, but that's all.

Therefore, I want to do something that will "flush out" the "offender" and make them come to me. I picture something like the following: Blocking the IP from contacting my server at all. Hopefully, the next time whoever has the offending IP tries accessing their company Web site, FTP, etc, it won't work and they will eventually come looking for me to find out why. Then, I'll know who it is and can take appropriate actions to unblock them and reconfigure their Windows to NOT update DNS every hour.

Any ideas? What would be the best way to "flush out" whoever is connecting from that IP address? Is there a more creative way than simply blocking the IP? For example, can I configure the Web server to display a special message to whoever has that IP when they attempt to go to the Web site?

Anyway, that's all for now... Thanks!

[webignition]

Port scans are annoying, but once done they usually move on unless you have ports open that you shouldn't (e.g. telnet).

I understand that you can telnet to a host on a given port (e.g. telnetting in on port 80 to test an HTTP request or telnetting in on port 143 to test IMAP), but does telnet in any way run on a given port? It might seem like a silly question, but the word "ports open that you shouldn't (e.g. telnet)" seems to suggest this.

Would anyone be able to clarify things for me a little?

I personally find telnet to be an extremely useful troubleshooting method as it allows me to see, as closely as possible, what a given client application will be seeing when trying to do whatever it somehow can't. However I'm also quite aware that many people (not only on these forums) consider telnet to be, security-wise, a very bad thing.

What is the case exactly?

[chirpy]

Yup. There are two things you need to separate:

1. TELNET server

2. TELNET client

The TELNET server usually runs on port 23 and allows connection to a server into shell (in the same way SSH does). However, like SMTP, FTP, POP3, IMAP, etc, all traffic is sent in clear text, including passwords. So, you should always block port 23 and stop the telnet service if it is running:

netstat -lpn | grep 23

The TELNET application allows you to simply interact with a clear text protocol (see above) simulating the purpose built application by typing in text interactively, e.g. simulating a POP3 client to view the servers protocol responses to your input. Nothing wrong with the TELNET app