Re: [tlug] DNS zone transfer

[Tim Hurman <kano-tlug@example.com>]

On Thu, Jan 30, 2003 at 12:29:44PM +0900, Botond Botyanszki wrote:
> I'm getting the following logs from snort every 5 minutes. This all started
> about 3 days ago.  
> 
> Jan 30 11:44:02 mick snort: [1:255:2] DNS zone transfer [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP} x.x.x.x:2310 -> y.y.y.y:53
> Jan 30 11:48:59 mick snort: [1:255:2] DNS zone transfer [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP} x.x.x.x:2313 -> y.y.y.y:53
> 
> Both the target and source have NS services running. I don't see why the above
> should be considered bad or harmful. 
> Could someone enlighten me before I disable this snort rule?
> 

Have you looked who the address belongs to? I noticed some dubious zone
transfers (ie not my DNS slaves) and did a little digging to find it was
actually RIPE. RIPE collect zone files to see how many entities there are
in the addresses that it manages. It someone doing the same thing to you?
of course it could also be one of the companies that collect zone info and
try to figure our where hosts are physically located on the planet (which
you probably want to stop).

Tim.

-- 
"ergo it is easier to drag sheep downhill" - Applied Ergonomics Magasine
Tim Hurman - Email: kano at kano.org.uk - Phone: Yeah right.