Search Again: Re: Security Errors From: Men & Mice Support Date: Tuesday, October 5, 2004 Time: 9:31:50 am The frequency seems a little odd, and the name of the update is unusual (but not impossible to explain innocently, I suppose). On the other hand, once a minute is not going to cause problems for your server. And once it fails, you'd think an attacker would wise up to the fact that it's not going to work. So I'm skeptical of this being a deliberate attack. Here's an example of why someone would unintentionally send an update packet to your server. Windows client machines, by default, are configured with a hostname and a domain name, such as "machine" and "valleyforgeflag.com". And by default, Windows tries to "register" its IP address in the DNS, by sending an update packet. It determines (by DNS lookups, looking at the SOA record) what server is master for the domain name's containing zone, and then sends an update to that server. It's nice that Microsoft included a dynamic update client in Windows, but it's kind of silly that it's turned on by default. ISP's receive tons of these update packets, and typically they reject them all. Waste of bandwidth. The thing is, the Windows update client only sends one packet (to my knowledge). It doesn't keep trying over and over again. Chris Buxton Men & Mice - Making DNS Easy Customer Service and Sales Engineer At 12:13 PM -0400 10/5/04, Steve Fabian wrote: >The zone is static. Why would someone be sending an update packet? >Is it some sort of malicious attack? They are sending it once every >minute. > >-----Original Message----- >From: quickdns-talk@lists.menandmice.com >[mailto:quickdns-talk@lists.menandmice.com]On Behalf Of Men & Mice >Support >Sent: Tuesday, October 05, 2004 12:09 PM >To: QuickDNS Talk >Subject: Re: Security Errors > > >It means someone sent a dynamic update packet to your server, and it >was rejected. > >If your zone valleyforgeflag.com isn't set to be dynamic, don't worry >about why the update message was rejected. For some reason, BIND >evaluates the prerequisites contained in an update before checking >whether the zone is static or dynamic. Even if the prerequisite had >been satisfied, BIND wouldn't have applied the update to a static >zone. > >Chris Buxton >Men & Mice - Making DNS Easy >Customer Service and Sales Engineer > >At 10:32 AM -0400 10/5/04, Steve Fabian wrote: >>My server log is showing the following error repeatedly. What does >>it mean? The IP in the error message is not on my network. >> >>security: error: client 209.173.1.18#51919: update >>'valleyforgeflag.com/IN': update failed: RRset exists (value >>dependent)' prerequisite not satisfied (NXRRSET) >> >>------------------------------------------------------- >>Steve Fabian >>Westlawn Graphic >>801 Commerce Street >>Sinking Spring, PA 19608 >>(610) 678-2640 >>sfabian@westlawngraphic.com

Messages In This Thread: Security Errors by Steve Fabian on Oct 5, 2004 at 7:34:26 am Re: Security Errors by Men & Mice Support on Oct 5, 2004 at 9:09:41 am Re: Security Errors by Steve Fabian on Oct 5, 2004 at 9:16:06 am Re: Security Errors by Men & Mice Support on Oct 5, 2004 at 9:31:50 am