Subject: Weird DNS entry...
To: None <netbsd-help@netbsd.org>
From: Richard Rauch <rkr@olib.org>
List: netbsd-help
Date: 06/16/2003 14:42:29
Saturday, I my primary master DNS was down (I'm not sure how that happened,
to be honest). If I were paranoid, I'd say that someone came into my
apartment to do that. But the only people other than me who have keys to
my apartment are the people that run the apartment---and there's no reason
why they would come in and kill my DNS machine. (^&
Anyway, that's not what's immediately on my mind. On my slave DNS,
which was up the whole time, I did an "nslookup" of my domain to
check something. I saw something rather unusual:
Server: prometheus.olib.org
Address: 206.126.46.154
Name: olib.org
Addresses: 64.3.102.155, 206.126.46.154
...the 206.* address is correct (my secondary DNS, my web-server, and
my mail-server is also a a real IP assignment for the base domain name).
The 64.3.102.155 is bogus.
It is not on the master DNS config.
So, I did a "mv bak.olib.org BAD.bak.olib.org", killed the slave DNS,
and restarted it. Now it has the correct information. Diffing the
new bak.olib.org file against the BAD.bak.olib.org produces just one
line, a second A line for olib.org (AHEAD of the one that binds to
my 206.* machine).
What's bothering me is how that line got appended. Should I be concerned
about my DNS security? The BAD.* file has a datestamp of *today*, only
a few minutes ago. My master DNS was turned back on over 36 hours ago and
hasn't been down since.
Fortunately, no web-address that uses "www.olib.org", and no properly
written mail software, should have been confused by the bogus entry.
Only computers trying to resolve the name "olib.org" as a regular
machine name, and then only if they used my slave DNS, should have had
any chance to be confused.
Still, I'm irritated. I thought that I'd correctly configured the
slave DNS to only get DNS information from the master. Is there a bug
with DNS when the slave can't find the master? And if the bak.* local
file is datestamped today, shouldn't that mean that it refreshed itself
today?
From the slave's named.conf:
zone "olib.org" in {
type slave;
file "bak.olib.org";
masters { 206.126.46.155; };
allow-transfer { none; };
};
I'm running bind9, from pkgsrc. bind-9.2.1. No security advisories, as
far as I know...
Should I be concerned about malicious attacks on my DNS? They could have
done a lot more to derail mail & web if it was malicious...
--
"I probably don't know what I'm talking about." http://www.olib.org/~rkr/