[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

unapproved query <-- dns/named8 after power-failure



short version:
of all TM, which Fing one should i go R?

long version:
lost power for about two hours last night, and now i'm
getting some odd 'named' log entries...

even after finding
	man named.conf
i'm still in the dark (metaphorically, tho the power is back on :)...

[i've got debian 2.2/potato running as a router/ipmasq/firewall
box for my home intranet, with named 8.2.2-P5-NOESW]

	unapproved query from [207.63.39.40].1671 for "serensoft.com"
	unapproved query from [198.69.131.5].1648 for "serensoft.com"
	unapproved query from [205.177.10.10].1744 for "serensoft.com"
	unapproved query from [216.42.62.2].53 for "mail.serensoft.com"
	unapproved query from [165.251.48.52].32776 for "serensoft.com"
	unapproved query from [194.25.2.129].1122 for "serensoft.com"
	unapproved query from [212.185.251.33].33023 for "serensoft.com"
	unapproved query from [194.72.6.51].53 for "www.serensoft.com"
	unapproved query from [194.72.6.52].53 for "www.serensoft.com"
	unapproved query from [198.69.131.5].1648 for "serensoft.com"

the manpage for named.conf discusses a slew-and-a-half of logging
options, but my particular named.conf uses none (thus i conclude
it's only using the defaults).  i can guess it's a security-related
message, but surely it doesn't mean that it's not answering dns
queries...?

i've also see named report these, which still baffle me:

	named[338]: bad referral (com !< extreme-dm.com)
	named[338]: bad referral (net !< above.NET)
	named[364]: bad referral (AOL.com !< mx.aol.com)

the gurus have important things to spend their time on
(like exploring strange new worlds) so i just wanna know:
where does a wet-behind-the-ears dns/named/bind newbie go
to find out what these mean?

--

i have similar befuddlement regarding some ipfwadm log messages,
too:

kernel: IP fw-in deny eth0 ICMP/10 172.132.36.37 224.0.0.2 L=28 S=0x00 I=44855 F=0x0000 T=128
kernel: IP fw-in deny eth0 ICMP/10 172.132.0.213 224.0.0.2 L=28 S=0x00 I=20792 F=0x0000 T=128
kernel: IP fw-in deny eth0 ICMP/10 172.132.0.213 224.0.0.2 L=28 S=0x00 I=21048 F=0x0000 T=128

huh? (these almost always match 172.*.*.* which is apparently aol)
is this important?  is someone trying to break in? is it some
automated dipstick that roams around checking up on servers?
how would i know?



Reply to: