RE: Named errors - DNS

This is a discussion on RE: Named errors - DNS ; > Subject: RE: Named errors > Date: Wed, 28 Jun 2006 13:21:07 -0400 > From: "Jeff Lightner" > To: , "Kevin Darcy" > Cc: > > Well now it IS broke ain't it? > > If you tell them the ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: RE: Named errors

  1. RE: Named errors


    > Subject: RE: Named errors
    > Date: Wed, 28 Jun 2006 13:21:07 -0400
    > From: "Jeff Lightner"
    > To: , "Kevin Darcy"
    > Cc:
    >
    > Well now it IS broke ain't it?
    >
    > If you tell them the most likely cause is that you were hacked that in
    > tandem with the fact it is not working properly should get them to let
    > you upgrade.


    Actually, I'd put it more 'diplomatically' as in:

    " The Bind that we are using is WELL past its "use-by" date. I need to
    upgrade to a much later version. although I cannot positively state
    that our name server has been hacked, everything I have now points to
    that.

    I'll also need to reinstall the OS because, if we HAVE been hacked,
    after I get done cleaning things up, I really won't know with 100%
    certainty that I've eliminated any/all "back-doors". Really, the only
    way to be sure we have a "secure" system is to install from scratch."

    Regards,
    Gregory Hicks

    >
    > -----Original Message-----
    > From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
    > Behalf Of Gary Lopez
    > Sent: Wednesday, June 28, 2006 1:07 PM
    > To: Kevin Darcy
    > Cc: bind-users@isc.org
    > Subject: Re: Named errors
    >
    > Thanks Kevin.
    > I am trying to convince to company to upgrade. This is a company
    > that
    > believes in "if it ain't broke don't upgrade it".
    >
    > Gary D Lopez
    > Unix Systems Administrator
    > Catapult Communications
    > 160 S Whisman Rd
    > Mountain View, CA 94041
    > Ph (650) 314-1029
    > Fax (650) 960-1029
    >
    >
    > Kevin Darcy wrote:
    > > Gary Lopez wrote:
    > >> Hello everyone,
    > >> This problem started over the weekend and not sure why. I have

    > been
    > >> running the same version of bind 8.1.2 on Solaris 2.7 for the past 4
    > >> years without incident. Since this weekend however I started seeing
    > >> error messages about wrong ans. name and bad referrals. Is this an
    > >> attack or is there something in my bind configuration I need to

    > modify?
    > >>
    > >> example:
    > >>
    > >> Jun 27 07:21:40 named[11645]: bad referral (. !< pebble.com)
    > >> Jun 27 07:21:40 DNS-server named[11645]: bad referral
    > >> (169.218.in-addr.arpa !< 87.169.218.in-addr.arpa)
    > >> Jun 27 07:21:40 DNS-server last message repeated 1 time
    > >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name
    > >> (g.www.ms.akadns.net != toggle.www.ms.akadns.net)
    > >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name
    > >> (lb1.www.ms.akadns.net != toggle.www.ms.akadns.net)
    > >> Jun 27 07:21:51 DNS-server last message repeated 5 times
    > >> Jun 27 07:21:51 DNS-server named[11645]: wrong ans. name
    > >> (lb1.www.ms.akadns.net != g.www.ms.akadns.net)
    > >> Jun 27 07:21:51 DNS-server last message repeated 3 times
    > >> Jun 27 07:22:09 DNS-server named[11645]: bad referral (. !<

    > sandgrabber.com)
    > >>

    > > Probably nothing in your configuration you can do to affect this.
    > >
    > > Is it an attack? Quite likely, since 8.1.2 is/was very exploitable.
    > >
    > > You *really* need to upgrade. BIND 8 is up to 8.4.7, and BIND 9 (a
    > > complete rewrite and the preferred version) is up to 9.3.2.
    > >
    > >

    >
    > > - Kevin
    > >
    > >
    > >

    >
    >
    >


    -------------------------------------------------------------------
    Gregory Hicks | Principal Systems Engineer
    Cadence Design Systems | Direct: 408.576.3609
    555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
    San Jose, CA 95134 | Internet: ghicks@cadence.com

    I am perfectly capable of learning from my mistakes. I will surely
    learn a great deal today.

    "A democracy is a sheep and two wolves deciding on what to have for
    lunch. Freedom is a well armed sheep contesting the results of the
    decision." - Benjamin Franklin

    "The best we can hope for concerning the people at large is that they
    be properly armed." --Alexander Hamilton




  2. Re: Named errors

    In article ,
    Gregory Hicks wrote:

    > > Subject: RE: Named errors
    > > Date: Wed, 28 Jun 2006 13:21:07 -0400
    > > From: "Jeff Lightner"
    > > To: , "Kevin Darcy"
    > > Cc:
    > >
    > > Well now it IS broke ain't it?
    > >
    > > If you tell them the most likely cause is that you were hacked that in
    > > tandem with the fact it is not working properly should get them to let
    > > you upgrade.

    >
    > Actually, I'd put it more 'diplomatically' as in:
    >
    > " The Bind that we are using is WELL past its "use-by" date. I need to
    > upgrade to a much later version. although I cannot positively state
    > that our name server has been hacked, everything I have now points to
    > that.


    Where are you getting the idea that his log messages point to that?
    "Bad referrel" errors indicate problems on other servers, not problems
    on your own. Akamai also pulls some funny games with DNS to implement
    their global load balancing, and these often result in complaints from
    DNS servers.

    So if you're suggesting that Jeff lie to his bosses to get them to let
    him upgrade, at least be honest about it.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***



  3. Re: Named errors

    Everyone,
    Thanks for all your suggestions. I will have to eventually upgrade, but
    moving off Solaris 7 will have to wait as they are running some software
    no longer supported by Sun, but works great still.

    I had my Windows NT and 2000 servers turn off the forwarders. This
    cleaned up the problem right away. I am sure that there is a way to
    accept forwarding from these servers correct? Is there a setting in the
    named.conf file I need to fix or can someone point me to some docs to read?

    Gary D Lopez
    Unix Systems Administrator
    Catapult Communications
    160 S Whisman Rd
    Mountain View, CA 94041
    Ph (650) 314-1029
    Fax (650) 960-1029


    Barry Margolin wrote:
    > In article ,
    > Gregory Hicks wrote:
    >
    >>> Subject: RE: Named errors
    >>> Date: Wed, 28 Jun 2006 13:21:07 -0400
    >>> From: "Jeff Lightner"
    >>> To: , "Kevin Darcy"
    >>> Cc:
    >>>
    >>> Well now it IS broke ain't it?
    >>>
    >>> If you tell them the most likely cause is that you were hacked that in
    >>> tandem with the fact it is not working properly should get them to let
    >>> you upgrade.

    >> Actually, I'd put it more 'diplomatically' as in:
    >>
    >> " The Bind that we are using is WELL past its "use-by" date. I need to
    >> upgrade to a much later version. although I cannot positively state
    >> that our name server has been hacked, everything I have now points to
    >> that.

    >
    > Where are you getting the idea that his log messages point to that?
    > "Bad referrel" errors indicate problems on other servers, not problems
    > on your own. Akamai also pulls some funny games with DNS to implement
    > their global load balancing, and these often result in complaints from
    > DNS servers.
    >
    > So if you're suggesting that Jeff lie to his bosses to get them to let
    > him upgrade, at least be honest about it.
    >




  4. Re: Named errors

    In any case I say download the 9.3.2 source, compile, and use that
    instead. It takes about a couple of minutes. Run named-checkconf
    against your named.conf and correct any errors. There really is no
    reason not to be running the latest version of BIND9.
    On Jun 28, 2006, at 4:26 PM, Barry Margolin wrote:

    > In article ,
    > Gregory Hicks wrote:
    >
    >>> Subject: RE: Named errors
    >>> Date: Wed, 28 Jun 2006 13:21:07 -0400
    >>> From: "Jeff Lightner"
    >>> To: , "Kevin Darcy"
    >>> Cc:
    >>>
    >>> Well now it IS broke ain't it?
    >>>
    >>> If you tell them the most likely cause is that you were hacked
    >>> that in
    >>> tandem with the fact it is not working properly should get them
    >>> to let
    >>> you upgrade.

    >>
    >> Actually, I'd put it more 'diplomatically' as in:
    >>
    >> " The Bind that we are using is WELL past its "use-by" date. I
    >> need to
    >> upgrade to a much later version. although I cannot positively state
    >> that our name server has been hacked, everything I have now points to
    >> that.

    >
    > Where are you getting the idea that his log messages point to that?
    > "Bad referrel" errors indicate problems on other servers, not problems
    > on your own. Akamai also pulls some funny games with DNS to implement
    > their global load balancing, and these often result in complaints from
    > DNS servers.
    >
    > So if you're suggesting that Jeff lie to his bosses to get them to let
    > him upgrade, at least be honest about it.
    >
    > --
    > Barry Margolin, barmar@alum.mit.edu
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***
    >
    >


    David Miller
    Desktop Support
    millerdc@fusion.gat.com




+ Reply to Thread