is your host or dhcp server sending dns dynamic updates for rfc1918?

• Previous message (by thread): is your host or dhcp server sending dns dynamic updates for
• Next message (by thread): is your host or dhcp server sending dns dynamic updates for rfc1918?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 18 Apr 2002, Paul Vixie wrote:

[snip]
> what these files are is a whole lot of lines that look like (broken by me):
>
> 18-Apr-2002 16:16:05.491 security: notice: \
> 	denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
>
> by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
>
> so who are these people and why are they sending dynamic updates for rfc1918
> address space PTR's?  second answer first: it's probably Windows' fault.
> after a successful DHCP transaction, the corresponding A RR and PTR RR have
> to be updated.  if rfc1918 is in use, dns transactions about these PTR's
> ought to be caught and directed toward some local server, who can do something
> useful with them.  this local capture often does not occur, and so these
> dns transactions end up coming to us.
[snip]

Does anyone already have a SNORT signature to match on these updates to
aid in tracking down which hosts behind a NAT are guilty for generating
this garbage?

• Previous message (by thread): is your host or dhcp server sending dns dynamic updates for
• Next message (by thread): is your host or dhcp server sending dns dynamic updates for rfc1918?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]