is your host or dhcp server sending dns dynamic updates for rfc1918?
Greg Maxwell
gmaxwell at martin.fl.us
Fri Apr 19 13:03:51 UTC 2002
On Thu, 18 Apr 2002, Paul Vixie wrote:
[snip]
> what these files are is a whole lot of lines that look like (broken by me):
>
> 18-Apr-2002 16:16:05.491 security: notice: \
> denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
>
> by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
>
> so who are these people and why are they sending dynamic updates for rfc1918
> address space PTR's? second answer first: it's probably Windows' fault.
> after a successful DHCP transaction, the corresponding A RR and PTR RR have
> to be updated. if rfc1918 is in use, dns transactions about these PTR's
> ought to be caught and directed toward some local server, who can do something
> useful with them. this local capture often does not occur, and so these
> dns transactions end up coming to us.
[snip]
Does anyone already have a SNORT signature to match on these updates to
aid in tracking down which hosts behind a NAT are guilty for generating
this garbage?
More information about the NANOG
mailing list