new Bind exploit?
bscott at ntisys.com
bscott at ntisys.com
Tue Sep 30 18:29:32 EDT 2003
On Tue, 30 Sep 2003, at 5:41pm, jeff.macdonald at virtualbuilder.com wrote:
> Today my logwatch sent me a message with hundreds of lines like these:
>
> lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.154.251#53: 1 Time(s)
> lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.162.251#53: 1 Time(s)
> lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 199.252.180.251#53: 1 Time(s)
> lame server resolving '100.0.0.215.in-addr.arpa' (in '215.in-addr.arpa'?): 207.132.116.60#53: 1 Time(s)
A "lame delegation" occurs when a DNS zone is delegated to a nameserver
that does not respond properly when queried about the supposed-delegated
name. If BIND encounters a lame delegation when running a query, it reports
the nameserver it asked as a "lame server". (That error is a little
misleading, as it is often the delegation itself, not the server, which is
incorrect.) The IP addresses near the end of each line indicates the
nameserver being queried.
Now, in this case, those four IP addresses are the delegated nameservers
for <215.in-addr.arpa>, according to <a.root-servers.net> (the SOA for the
world). So BIND is asking the right nameservers. I just checked, and all
of those nameservers for are returning SERVFAIL for queries about that zone
at this time. So, yes, they are indeed lame.
Other reverse lookups do appear to be working, so I would say just that
zone is offline, for some reason.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list