On Thu, 18 Apr 2002, Paul Vixie wrote: [snip]
what these files are is a whole lot of lines that look like (broken by me):
18-Apr-2002 16:16:05.491 security: notice: \ denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
by "a whole lot" i mean we've logged 3.3M of these in the last four hours.
so who are these people and why are they sending dynamic updates for rfc1918 address space PTR's? second answer first: it's probably Windows' fault. after a successful DHCP transaction, the corresponding A RR and PTR RR have to be updated. if rfc1918 is in use, dns transactions about these PTR's ought to be caught and directed toward some local server, who can do something useful with them. this local capture often does not occur, and so these dns transactions end up coming to us. [snip]
Does anyone already have a SNORT signature to match on these updates to aid in tracking down which hosts behind a NAT are guilty for generating this garbage?