new Bind exploit?

[Jeff Macdonald]

On Tue, 2003-09-30 at 18:29, bscott at ntisys.com wrote:
> On Tue, 30 Sep 2003, at 5:41pm, jeff.macdonald at virtualbuilder.com wrote:
> > Today my logwatch sent me a message with hundreds of lines like these:
> > 
> >    lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.154.251#53: 1 Time(s)
> >    lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.162.251#53: 1 Time(s)
> >    lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.180.251#53: 1 Time(s)
> >    lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 207.132.116.60#53: 1 Time(s)
> 
>   A "lame delegation" occurs when a DNS zone is delegated to a nameserver
> that does not respond properly when queried about the supposed-delegated
> name. If BIND encounters a lame delegation when running a query, it reports
> the nameserver it asked as a "lame server".  (That error is a little
> misleading, as it is often the delegation itself, not the server, which is
> incorrect.)  The IP addresses near the end of each line indicates the
> nameserver being queried.

Ok, so these are not queries directed to my server because my server was
listed as a name server for those domains but these are queries
generated by some process on my system asking for domains that are lame.
This must be sendmail looking up DNS records when receiving mail (the
machine is my web/mail server). Is any one else seeing entries like
these? I have several hundred more today (all with 0.0 for the 2nd and
3rd octects).