| Linode Forum https://forum.linode.com/ |
|
| DNS/BIND log question https://forum.linode.com/viewtopic.php?f=19&t=709 |
Page 1 of 1 |
| Author: | shahim [ Sun Feb 22, 2004 5:50 pm ] |
| Post subject: | DNS/BIND log question |
Looking through my BIND log, I am seeing a lot of queries like this. client: debug 3: client 166.111.8.29#53: UDP request security: debug 3: client 166.111.8.29#53: request is not signed client: debug 3: client 166.111.8.29#53: query security: debug 3: client 166.111.8.29#53: query (cache) approved client: debug 3: client 166.111.8.29#53: send client: debug 3: client 166.111.8.29#53: sendto client: debug 3: client 166.111.8.29#53: senddone client: debug 3: client 166.111.8.29#53: next client: debug 3: client 166.111.8.29#53: endrequest client: debug 3: client @0x81a7a40: udprecv My log file was growing so large from the thousands of reqests from this IP and the other one which I got over few hours. I ended up blocking the other IP because of that. What does the query "(cache)" mean? Why I am I getting so many form these two hosts? Is it a security problem and how can I stop it? Thanks, Shahim |
|
| Author: | caker [ Mon Feb 23, 2004 12:44 am ] |
| Post subject: | Re: DNS/BIND log question |
shahim wrote: What does the query "(cache)" mean? You're running a caching nameserver, right? Perhaps that is just an indicator that the answer came from your named's cache? shahim wrote: Why I am I getting so many form these two hosts? No idea. Either those machines are misconfigured, or someone's doing it intentionally... shahim wrote: Is it a security problem and how can I stop it?
I don't know if that is the fingerprint of any kind of attack (DoS, break-in, or otherwise). I'd say either turn off recursion, iptable's them off, or lock them out in your named.conf... -Chris |
|
| Author: | shahim [ Mon Feb 23, 2004 2:02 am ] |
| Post subject: | |
After going to the linode IRC and with the help I got it turns out that someone has his domain pointing to my name server and I was getting the requests for that domain. I am trying to contact the registrar and the domain owner to fix that. I guess he had a caching server on my IPs before. |
|
| Author: | jstarks [ Mon Feb 23, 2004 4:21 am ] |
| Post subject: | |
Regardless of the problem, you'll probably want to split your nameservers from your DNS cache. See http://cr.yp.to/djbdns/separation.html for more info. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|