[Sussex] DNS Hack attack?
John Crowhurst
fyremoon at fyremoon.net
Mon Nov 11 21:00:01 UTC 2002
> All,
>
> Anyone know what the following mean? I've been mailed it by a friend who
> doesn't understand his DNS logs. Neither do I! :o)
Firstly, a dangling CNAME is when a DNS record is missing the A record, an
example would be here:
www IN A 1.2.3.4
www2 IN CNAME www
www3 IN CNAME www4
www3 is a dangling CNAME in this case, as there is no A (address) record
for www4.
A CNAME (Canonical Name) is similar to an alias, where it points to an A
record.
This can occur in the case of "split DNS", where there are two different
versions of the DNS around the internet, and a lookup is pulling down the
broken setup.
The DNS restarts seem to be worrying though, as if its attempting to spawn
when there is already a copy of bind running, and bound to the port.
Perhaps upgrading the version of bind to be on the safe side would be a
wise move anyway, and perhaps check the system for any possible rootkit.
If its an RPM based distribution, you can query the integrity of the files
by issuing:
# rpm -qa
Download a copy of chkrootkit too, and give it a quick once over. It may
be me being overly paranoid, but you will be able to sleep better tonight.
--
John
More information about the Sussex
mailing list