[Dshield] re: MSFT.NET zone transfer requests

Boris Sverdlik bsverdlik at nyc.rr.com
Fri Jul 27 11:35:26 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI...
Just thought I should pass this your way.

I don't know how critical this is but I was looking through the logs and
it looks like the Microsoft.net NET-IP [207.46.0.0] Block has been
attempting to do zone transfers since about Mid April at a somewhat disturbing rate.
Personally I don't care about the queries because we block zone transfers,
but has anybody else seen these types of queries in last couple of months?

Regards,
Boris


[whois.arin.net]
[No name] (DNS625-HST)          DNS4.CP.MSFT.NET
207.46.138.11
[No name] (DNS639-HST)          DNS5.CP.MSFT.NET
207.46.138.12
[No name] (DNS1557-HST)         DNS1.CP.MSFT.NET
207.46.138.20
[No name] (DNS1570-HST)         DNS2.CP.MSFT.NET
207.46.138.21
Microsoft (NETBLK-MICROSOFT-GLOBAL-NET) MICROSOFT-GLOBAL-NET
                                                  207.46.0.0 -
207.46.255.255

Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
   One Redmond Way
   Redmond, WA 98052
   US

   Netname: MICROSOFT-GLOBAL-NET
   Netblock: 207.46.0.0 - 207.46.255.255

   Coordinator:
      Microsoft  (ZM39-ARIN)  noc at microsoft.com
      425-936-4200

   Domain System inverse mapping provided by:

   DNS1.CP.MSFT.NET             207.46.138.20
   DNS2.CP.MSFT.NET             207.46.138.21
   DNS1.TK.MSFT.NET             207.46.232.37
   DNS1.DC.MSFT.NET             207.68.128.151
  D NS1.SJ.MSFT.NET             207.46.97.11

  R ecord last updated on 20-Jun-2001.
   Database last updated on 26-Jul-2001 23:14:51 EDT.

As you can see the requests are also coming from hosts other than the dns
servers listed above.

[silver]/ # nslookup
Default Server:  localhost
Address:  127.0.0.1

> 207.46.138.8
Server:  localhost
Address:  127.0.0.1

Name:    iuscgndnsfv301.two.microsoft.com
Address:  207.46.138.8

>2 07.46.138.8
Server:  localhost
Address:  127.0.0.1

Name:    iuscgndnsfv301.two.microsoft.com
Address:  207.46.138.8

>2 07.46.9.6
Server:  localhost
Address:  127.0.0.1          

The following are log entries from the last couple of days:

Jul 26 23:15:42 silver named[10135]: unapproved query from[
207.46.9.6].30478 for "."
Jul 26 23:34:19 silver named[10135]: unapproved query from
[207.46.138.9].60131 for "."
Jul 26 23:36:55 silver named[10135]: unapproved query from
[207.46.138.9].62296 for "."
Jul 26 23:39:33 silver named[10135]: unapproved query from
[207.46.138.9].1341 for "."
Jul 262 3:45:32 silver named[10135]: unapproved query from
[207.46.138.8].30149 for "."
Jul 27 00:16:36 silver named[10135]: unapproved query from
[207.46.9.6].35771 for "."
Jul 27 00:18:23 silver named[10135]: unapproved query from
[207.46.9.6].35923 for "."
Jul 27 00:25:44 silver named[10135]: unapproved query from
[207.46.9.6].36455 for "."
Jul 27 00:26:17 silvern amed[10135]: unapproved query from
[207.46.138.8].60589 for "."
Jul 270 0:27:54 silver named[10135]: unapproved query from
[207.46.138.8].61683 for "."
Jul 27 00:29:25 silver named[10135]: unapproved query from
[207.46.138.8].62832 for "."
Jul 27 00:30:08 silver named[10135]: unapproved query from
[207.46.138.9].58448 for "."
Jul 27 00:33:27 silver named[10135]: unapproved query from
[207.46.9.6].36976 for "."
Jul 27 00:34:48 silvern amed[10135]: unapproved query from
[207.46.138.8].3834 for "."
Jul 270 0:36:34 silver named[10135]: unapproved query from
[207.46.138.8].5105 for" ."
Jul 27 00:37:12 silver named[10135]: unapproved query from
[207.46.138.9].62143 for "."
Jul 27 01:08:08 silver named[10135]: unapproved query from
[207.46.138.9].32821 for "."
Jul 27 01:11:06 silver named[10135]: unapproved query from
[207.46.138.9].35333 for "."
Jul 27 01:16:21 silver named[10135]: unapproved query from
[207.46.138.8].29642 for "."
Jul 270 1:20:52 silver named[10135]: unapproved query from
[207.46.138.9].40488 for "."
Jul 27 01:24:58 silver named[10135]: unapproved query from
[207.46.138.9].43184 for "."
Jul 27 01:32:02 silver named[10135]: unapproved query from
[207.46.9.6].41824 for "."
Jul 27 01:48:56 silver named[10135]: unapproved query from
[207.46.9.6].42958 for "."
Jul 27 02:05:08 silvern amed[10135]: unapproved query from
[207.46.138.9].18094 for "."
Jul 270 2:06:29 silver named[10135]: unapproved query from
[207.46.138.9].18989 for "."
Jul 27 02:08:29 silver named[10135]: unapproved query from
[207.46.138.9].20342 for "."
Jul 27 02:13:27 silver named[10135]: unapproved query from
[207.46.138.9].24562 for "."
Jul 27 02:21:50 silver named[10135]: unapproved query from
[207.46.138.8].9612 for "."
Jul 27 02:55:08 silvern amed[10135]: unapproved query from
[207.46.9.6].48071 for "."
Jul 27 03:02:02 silver named[10135]: unapproved query from
[207.46.9.6].48462 for" ."
Jul 27 03:05:05 silver named[10135]: unapproved query from
[207.46.138.8].40917 for "."
Jul 27 03:05:42 silver named[10135]: unapproved query from
[207.46.9.6].48665 for "."
Jul 27 03:09:04 silver named[10135]: unapproved query from
[207.46.9.6].48863 for "."
Jul 27 03:09:39 silvern amed[10135]: unapproved query from
[207.46.138.9].23583 for "."
Jul 270 3:12:48 silver named[10135]: unapproved query from
[207.46.138.8].49579 for "."
Jul 27 03:13:16 silver named[10135]: unapproved query from
[207.46.9.6].49134 for "."
Jul 27 03:14:15 silver named[10135]: unapproved query from
[207.46.9.6].49183 for "."
Jul 27 03:54:42 silver named[10135]: unapproved query from
[207.46.138.9].61669 for "."
Jul 27 04:01:29 silver named[10135]: unapproved query from
[207.46.138.9].4278 for "."
Jul 270 4:06:30 silver named[10135]: unapproved query from
[207.46.138.8].23335 for "."
Jul 27 04:07:33 silver named[10135]: unapproved query from
[207.46.138.9].9415 for "."
Jul 27 04:10:37 silver named[10135]: unapproved query from
[207.46.138.8].26284 for "."
Jul 27 04:19:14 silver named[10135]: unapproved query from
[207.46.9.6].54078 for "."
Jul 27 04:23:03 silvern amed[10135]: unapproved query from
[207.46.9.6].54277 for "."
Jul 27 04:28:48 silver named[10135]: unapproved query from
[207.46.9.6].54620 for" ."
Jul 27 04:33:22 silver named[10135]: unapproved query from
[207.46.144.10].46344 for "."
Jul 27 04:51:11 silver named[10135]: unapproved query from
[207.46.138.8].52908 for "."
Jul 27 05:21:18 silver named[10135]: unapproved query from
[207.46.144.10].47003 for "."
Jul 27 05:23:30 silver named[10135]: unapproved query from
[207.46.138.9].20257 for "."
Jul 270 5:33:46 silver named[10135]: unapproved query from
[207.46.138.9].30200 for "."
Jul 27 05:34:10 silver named[10135]: unapproved query from
[207.46.138.9].30764 for "."
Jul 27 05:35:23 silver named[10135]: unapproved query from
[207.46.138.8].18098 for "."
Jul 27 05:37:26 silver named[10135]: unapproved query from
[207.46.138.8].19444 for "."
Jul 27 05:43:08 silver named[10135]: unapproved query from
[207.46.138.8].24518 for "."
Jul 270 5:44:00 silver named[10135]: unapproved query from
[207.46.9.6].59991 for" ."
Jul 27 05:51:16 silver named[10135]: unapproved query from
[207.46.9.6].60402 for "."



Boris Sverdlik
Technical Solutions Consultant
Information Security Practice
Sprint E-Solutions
Voice (917)687-5911
Pager (888)314-0613

"Its not a matter of if America has an electronic Pearl Harbour -- its a
matter of when"
- --Curtis Weldon, Pentagon

Public Key is available at 
http://www.openpgp.net/pgpsrv.html
http://www.boris-sverdlik.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjthUgMACgkQuOem76BMz1wHNgCfZgLPh31LA/fj7Ji9UZ9He/0A
L4gAoJRNYP1M1I6HXlUtMn7tDOXiBady
=hOwR
-----END PGP SIGNATURE-----




More information about the list mailing list