[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] BIND? ERR/TO getting serial#

Hi guys!
I've got a friend on the list here who's having a problem, and I wanted to
post the question to the list in case this highlights a hole in his machine.
Don't want the script kiddies going nutso on him.

He's getting this error in his logs:
Feb 25 00:39:57 www named[660]: Err/TO getting serial# for
"ns2.somedomain.com"
Feb 25 00:39:57 www named[660]: Err/TO getting serial# for
"ns1.somedomain.com"
Feb 25 00:39:57 www named-xfer[18177]: wrong answer in resp from
[xxx.xxx.xxx.x1], zone ns2.somedomain.com: [somedomain.com IN SOA]
Feb 25 00:39:57 www named-xfer[18178]: wrong answer in resp from
[xxx.xxx.xxx.x0], zone ns1.somedomain.com: [somedomain.com IN SOA]

Where 'somedomain.com' is his domain and his IP on the 3rd and 4th lines
have been hidden (obviously) for the list.

Right off the bat I asked him if he'd done any changes to his DNS lately.
(Like 4webspace has all of their clients switching to their DNS.)
Going through the archives I found this post:
http://list.cobalt.com/pipermail/cobalt-users/2000-March/006471.html

So then looking in one of my own domain records in /etc/named I see:
Do Not edit BIND db files directly.
; Use the administrative web user interface
; /admin/ -> Control Panel -> DNS Parameters

Which again makes me think it's a problem with DNS, but more specifically,
with BIND.
I asked if he'd updated his BIND lately, haven't had time to get a response
yet.
If he hasn't, could this be a clue that someone's been poking around with
the BIND exploit?
If he has, is this indicative that the Cobalt update package has a bug in it
somewhere or didn't install properly?

I told him to check the SOA records for ns1 and ns2 and compare them to
everything else on the machine; gave him an example of one of my domains'
records and some general stuff on how my SOA looks. But past that I can't
help him.

Anyone have any clues about this weird log message?

CarrieB