Westez
asked on
Help with understanding lines from Named in syslog?
Ubuntu 9.4, Bind 9.4:
I'm asking for help to determine what these lines in my syslog file mean.
This ip address is unknown to me. I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client isn't known. I have serveral lines like this with different addresses.
A1. client 76.216.89.230#15102: update 'mydomain.org/IN' denied
========================== ========== ========== ========== ========== ========== =
This ip address is known to me, it's our Checkpoint linux firewall server. I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client doesnt' have the right permission. I only have one line for this in syslog.
A2. client xxx.xx.xx.xxx#26731: update 'mydomain.org/IN' denied
========================== ========== ========== ========== ========== ========== =
This showed up after I enabled the option:
query-source address * port 53;
Do I need to be concerned about this one, or is this a general information msg?
A3. /etc/bind/named.conf.optio ns:14: using specific query-source port suppresses port randomization and can be insecure.
========================== ========== ========== ========== ========== ========== =
I'm completely clueless on this one. Both addresses are unknown. What does this mean?
A4. Apr 22 10:36:11 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 208.109.255.17#53: connection reset
Apr 22 10:36:12 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 216.69.185.17#53: connection reset
========================== ========== ========== ========== ========== ========== =
What's going here? Why would postfix connect and disconnect so many time like this?
A5. Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: connect from localhost[127.0.0.1]
Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: disconnect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: connect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: disconnect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: connect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: disconnect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: connect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: disconnect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: connect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: disconnect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: connect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: disconnect from localhost[127.0.0.1]
Thanks
I'm asking for help to determine what these lines in my syslog file mean.
This ip address is unknown to me. I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client isn't known. I have serveral lines like this with different addresses.
A1. client 76.216.89.230#15102: update 'mydomain.org/IN' denied
==========================
This ip address is known to me, it's our Checkpoint linux firewall server. I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client doesnt' have the right permission. I only have one line for this in syslog.
A2. client xxx.xx.xx.xxx#26731: update 'mydomain.org/IN' denied
==========================
This showed up after I enabled the option:
query-source address * port 53;
Do I need to be concerned about this one, or is this a general information msg?
A3. /etc/bind/named.conf.optio
==========================
I'm completely clueless on this one. Both addresses are unknown. What does this mean?
A4. Apr 22 10:36:11 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 208.109.255.17#53: connection reset
Apr 22 10:36:12 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 216.69.185.17#53: connection reset
==========================
What's going here? Why would postfix connect and disconnect so many time like this?
A5. Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: connect from localhost[127.0.0.1]
Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: disconnect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: connect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: disconnect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: connect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: disconnect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: connect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: disconnect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: connect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: disconnect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: connect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: disconnect from localhost[127.0.0.1]
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've got this sorted out.
ASKER
A1. Are you saying that I'm allowing updates to the reverse dns records? And that by adding the zone clause allow-update 1.1.1.1 to the zone file for our domain I can stop these messages?
A2. This is our primary external DNS server.
Regarding both A1 and A2 I don't want to allow any dynamic updates. I would like to get rid of lines\messages in my syslog file though.
A3. Has been commented out.
A4. doesn't refer to the postfix, that's A5, but thanks for schooling me on this point.
Any thoughts on A4?