Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Help with understanding lines from Named in syslog?

Posted on 2009-04-22
3
Medium Priority
?
483 Views
Last Modified: 2013-12-16
Ubuntu 9.4, Bind 9.4:
I'm asking for help to determine what these lines in my syslog file mean.

This ip address is unknown to me.  I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client isn't known.  I have serveral lines like this with different addresses.

A1. client 76.216.89.230#15102: update 'mydomain.org/IN' denied
=============================================================================
This ip address is known to me, it's our Checkpoint linux firewall server.  I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client doesnt' have the right permission.  I only have one line for this in syslog.

A2. client xxx.xx.xx.xxx#26731: update 'mydomain.org/IN' denied
=============================================================================
This showed up after I enabled the option:
query-source address * port 53;
Do I need to be concerned about this one, or is this a general information msg?

A3. /etc/bind/named.conf.options:14: using specific query-source port suppresses port randomization and can be insecure.
=============================================================================
I'm completely clueless on this one.  Both addresses are unknown.  What does this mean?

A4. Apr 22 10:36:11 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 208.109.255.17#53: connection reset
Apr 22 10:36:12 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 216.69.185.17#53: connection reset
=============================================================================
What's going here?  Why would postfix connect and disconnect so many time like this?

A5. Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: connect from localhost[127.0.0.1]
Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: disconnect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: connect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: disconnect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: connect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: disconnect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: connect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: disconnect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: connect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: disconnect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: connect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: disconnect from localhost[127.0.0.1]

Thanks
0
Comment
Question by:Westez
  • 2
3 Comments
 
LVL 13

Accepted Solution

by:
WizRd-Linux earned 1500 total points
ID: 24210248
A1. Because you dont' have allow-update { 1.1.1.1; }; in your configuration, hence allowing updates to the reverse dns records it spits out this error.  No big deal it can be ignored.

A2.  See A1 with the addition of you can stop the updates with the checkpoint firewall if this isn't your external DNS server and only used internally.

A3. DNS poisoning attacks, comment out the line "query-source port 53;" in /etc/bind/named.conf.options or remove it and restart named/bind9.

A4. Postfix - Check out postqueue taking a guess you have mail sitting in a queue that needs to be delivered, you can either delete the email or you can change postfix's configuration to reject it instead of soft bouncing it.

0
 

Author Comment

by:Westez
ID: 24219275
A lttle more info for you.  This is our primary master dns server, it's the master for 30 or so domains.

A1. Are you saying that I'm allowing updates to the reverse dns records?  And that by adding the zone clause allow-update 1.1.1.1 to the zone file for our domain I can stop these messages?

A2. This is our primary external DNS server.  
Regarding both A1 and A2 I don't want to allow any dynamic updates.  I would like to get rid of lines\messages in my syslog file though.

A3.  Has been commented out.

A4. doesn't refer to the postfix, that's A5, but thanks for schooling me on this point.

Any thoughts on A4?  
0
 

Author Closing Comment

by:Westez
ID: 31573473
I've got this sorted out.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month15 days, 11 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question