On Tue, 15 Jan 2002, Sean Donelan wrote:
On Tue, 15 Jan 2002, Tim Devries wrote:
Ok, well this is good to know. Although it still doesn't explain why my firewall is reporting DNS UDP/TCP probes from windowupdate.com on a regular basis.
A couple of possibilities - DNS cache poisoning sending spoofed answers to your DNS server (are you running a current version of BIND or an alternative?) - DDOS attack on windowsupdate.com using spoofed source packets (DNS and HTTP packets can tunnel through most firewall configurations)
Here are examples of the bogus queries I've been seeing. Since this is a non-windows machine, it has no reason to query windowsupdate.com for any purpose. Jan 14 22:08:47 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 14 22:08:47 clifden last message repeated 2 times Jan 14 23:12:12 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 14 23:14:05 clifden last message repeated 5 times Jan 15 00:24:56 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 00:24:56 clifden last message repeated 2 times Jan 15 01:32:20 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 01:36:13 clifden last message repeated 8 times Jan 15 01:38:19 clifden named[14504]: [ID 295310 daemon.notice] denied query from [207.68.131.17].1029 for "180.53.34.199.in-addr.arpa" PTR/IN Jan 15 01:38:19 clifden last message repeated 2 times