[Sussex] DNS Hack attack?

John Crowhurst fyremoon at fyremoon.net
Mon Nov 11 21:00:01 UTC 2002


> All,
>
> Anyone know what the following mean? I've been mailed it by a friend who
> doesn't understand his DNS logs.  Neither do I! :o)

Firstly, a dangling CNAME is when a DNS record is missing the A record, an
example would be here:

www IN A 1.2.3.4
www2 IN CNAME www
www3 IN CNAME www4

www3 is a dangling CNAME in this case, as there is no A (address) record
for www4.

A CNAME (Canonical Name) is similar to an alias, where it points to an A
record.

This can occur in the case of "split DNS", where there are two different
versions of the DNS around the internet, and a lookup is pulling down the
broken setup.

The DNS restarts seem to be worrying though, as if its attempting to spawn
when there is already a copy of bind running, and bound to the port.

Perhaps upgrading the version of bind to be on the safe side would be a
wise move anyway, and perhaps check the system for any possible rootkit.

If its an RPM based distribution, you can query the integrity of the files
by issuing:

# rpm -qa

Download a copy of chkrootkit too, and give it a quick once over. It may
be me being overly paranoid, but you will be able to sleep better tonight.

-- 
John






More information about the Sussex mailing list