[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unapproved query <-- dns/named8 after power-failure

Will Trillich wrote:

> [i've got debian 2.2/potato running as a router/ipmasq/firewall
> box for my home intranet, with named 8.2.2-P5-NOESW]
> 
>         unapproved query from [207.63.39.40].1671 for "serensoft.com"
>         unapproved query from [198.69.131.5].1648 for "serensoft.com"
>         unapproved query from [205.177.10.10].1744 for "serensoft.com"
>         unapproved query from [216.42.62.2].53 for "mail.serensoft.com"
>         unapproved query from [165.251.48.52].32776 for "serensoft.com"
>         unapproved query from [194.25.2.129].1122 for "serensoft.com"
>         unapproved query from [212.185.251.33].33023 for "serensoft.com"
>         unapproved query from [194.72.6.51].53 for "www.serensoft.com"
>         unapproved query from [194.72.6.52].53 for "www.serensoft.com"
>         unapproved query from [198.69.131.5].1648 for "serensoft.com"

looks like you are restricting query access to your nameserver via
access control lists(defined in named.conf) those entries look to me
like those ip addresses are trying to get the IPs for serensoft.com,
mail.serensoft.com, www.serensoft.com but your nameserver is rejecting
them because they are not in the access control lists.


> the manpage for named.conf discusses a slew-and-a-half of logging
> options, but my particular named.conf uses none (thus i conclude
> it's only using the defaults).  i can guess it's a security-related
> message, but surely it doesn't mean that it's not answering dns
> queries...?

it does mean you are not answering DNS queries, at least queries from
those IPs. it is a security feature, and must've gotten turned on, but
named wasnt restarted until your system came online after the outage.
look in named.conf for something along the lines of  'allow-query', or
post your named.conf. i restrict zone transfers on my DNS(s) but i don't
restrict queries. BTW - i just tried to send this mail to your email
addy, and my mail server told me it cannot get a MX record for your
domain(same problem your having) so i'll just send to the list hope u
get it soon to fix :)


> i've also see named report these, which still baffle me:
> 
>         named[338]: bad referral (com !< extreme-dm.com)
>         named[338]: bad referral (net !< above.NET)
>         named[364]: bad referral (AOL.com !< mx.aol.com)

i haven't seen that before, not sure what it is..

> the gurus have important things to spend their time on
> (like exploring strange new worlds) so i just wanna know:
> where does a wet-behind-the-ears dns/named/bind newbie go
> to find out what these mean?

I highly reccomend the oreilly(sp?) book "DNS & Bind" its real good, a
lot of it is not very useful because  it talks about maintaining bind
over cost senstive links like sattelite and stuff but the first few
chapters are real good, its where i learned how easy it is to setup a
chroot bind and run it as non root :)


> 
> huh? (these almost always match 172.*.*.* which is apparently aol)
> is this important?  is someone trying to break in? is it some
> automated dipstick that roams around checking up on servers?
> how would i know?

you have all ICMP blocked? chances are the nameservers couldn't get a
response from your nameserver so tried to ping you to see if your
alive(wild guess) since its only icmp theres not much to be worried
about(if it is only icmp ...? thats all i saw from your posted log)

nate

-- 
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to: