DNS scans by IANA

Mailman List Mirror (Read Only)
1

Anyone have any idea why a host from IANA would be scanning DNS servers?

;; AUTHORITY SECTION:
4.32.198.in-addr.arpa. 10551 IN SOA dot.ip4.int. hostmaster.ip4.int. 1928630 10800 900 604800 86400

10/03-01:29:45.947001 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:33581 -> 63.105.37.21:53
10/03-01:29:46.257443 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:39050 -> 63.105.37.21:53
10/03-01:29:46.544719 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:33623 -> 63.105.37.20:53
10/03-01:29:47.067072 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:39057 -> 63.105.37.20:53
10/03-01:57:47.356984 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:56229 -> 63.105.37.20:53
10/03-01:57:47.762762 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:46196 -> 63.105.37.20:53
10/03-02:01:02.332948 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:36697 -> 63.105.37.20:53
10/03-02:01:02.739583 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:47061 -> 63.105.37.20:53
10/03-02:01:59.042381 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:39008 -> 63.105.37.20:53
10/03-02:01:59.455718 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:47296 -> 63.105.37.20:53
10/03-02:05:01.297316 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:46251 -> 63.105.37.20:53
10/03-02:05:01.710271 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:48067 -> 63.105.37.20:53
10/03-02:05:28.770286 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:47507 -> 63.105.37.20:53
10/03-02:05:29.326121 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:48191 -> 63.105.37.20:53
10/03-02:05:44.704398 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:48082 -> 63.105.37.20:53
10/03-02:05:45.755863 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:48244 -> 63.105.37.20:53
10/03-02:10:20.499887 [] [1:1616:4] DNS named version attempt [] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 198.32.4.13:57711 -> 63.105.37.20:53
10/03-02:10:20.906450 [] [1:255:8] DNS zone transfer TCP [] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 198.32.4.13:49232 -> 63.105.37.20:53

2

Yes, and has been going on for years and years and ..

  See link:

http://www.isi.edu/~bmanning/in-addr-audit.html

3

current link is: http://www.ep.net/in-addr-audit.html

--bill

4

Hello Andrew,

This is not being done by the IANA or from an IANA machine.

This is something being carried out by epnet I believe

John crain

Friday, October 03, 2003

Anyone have any idea why a host from IANA would be scanning DNS servers?

;; AUTHORITY SECTION:
4.32.198.in-addr.arpa. 10551 IN SOA dot.ip4.int.
hostmaster.ip4.int. 1928630 10800 900 604800 86400

10/03-01:29:45.947001 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=33581&protocol=UDP>33581

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.21.html>63.105.37.21:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-01:29:46.257443 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=39050&protocol=TCP>39050

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.21.html>63.105.37.21:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-01:29:46.544719 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=33623&protocol=UDP>33623

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-01:29:47.067072 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=39057&protocol=TCP>39057

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-01:57:47.356984 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=56229&protocol=UDP>56229

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-01:57:47.762762 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=46196&protocol=TCP>46196

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:01:02.332948 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=36697&protocol=UDP>36697

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:01:02.739583 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=47061&protocol=TCP>47061

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:01:59.042381 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=39008&protocol=UDP>39008

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:01:59.455718 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=47296&protocol=TCP>47296

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:05:01.297316 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=46251&protocol=UDP>46251

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:05:01.710271 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=48067&protocol=TCP>48067

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:05:28.770286 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=47507&protocol=UDP>47507

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:05:29.326121 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=48191&protocol=TCP>48191

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:05:44.704398 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=48082&protocol=UDP>48082

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:05:45.755863 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=48244&protocol=TCP>48244

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=TCP>53
10/03-02:10:20.499887 [**] [1:1616:4]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-1616.html>DNS named
version attempt [**] [Classification: Attempted Information Leak]
[Priority: 2] {UDP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=57711&protocol=UDP>57711

->>

<http://10.192.0.110/198/32/4/../../../63/105/37/dest63.105.37.20.html>63.105.37.20:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=53&protocol=UDP>53
10/03-02:10:20.906450 [**] [1:255:8]
<http://10.192.0.110/198/32/4/../../../sig/sigsid-255.html>DNS zone
transfer TCP [**] [Classification: Attempted Information Leak] [Priority:
2] {TCP}
<http://10.192.0.110/198/32/4/../../../198/32/4/src198.32.4.13.html>198.32.4.13:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=49232&protocol=TCP>49232

->>