Help with understanding lines from Named in syslog?

Ubuntu 9.4, Bind 9.4:
I'm asking for help to determine what these lines in my syslog file mean.

This ip address is unknown to me.  I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client isn't known.  I have serveral lines like this with different addresses.

A1. client 76.216.89.230#15102: update 'mydomain.org/IN' denied
=============================================================================
This ip address is known to me, it's our Checkpoint linux firewall server.  I interpret this line to mean that the client is trying to update (something) in mydomain.org and it's being denied because the client doesnt' have the right permission.  I only have one line for this in syslog.

A2. client xxx.xx.xx.xxx#26731: update 'mydomain.org/IN' denied
=============================================================================
This showed up after I enabled the option:
query-source address * port 53;
Do I need to be concerned about this one, or is this a general information msg?

A3. /etc/bind/named.conf.options:14: using specific query-source port suppresses port randomization and can be insecure.
=============================================================================
I'm completely clueless on this one.  Both addresses are unknown.  What does this mean?

A4. Apr 22 10:36:11 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 208.109.255.17#53: connection reset
Apr 22 10:36:12 myDNSsvr named[21370]: dispatch 0xb5f803a8: shutting down due to TCP receive error: 216.69.185.17#53: connection reset
=============================================================================
What's going here?  Why would postfix connect and disconnect so many time like this?

A5. Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: connect from localhost[127.0.0.1]
Apr 22 09:54:02 myDNSsvr postfix/smtpd[21410]: disconnect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: connect from localhost[127.0.0.1]
Apr 22 09:57:02 myDNSsvr postfix/smtpd[21415]: disconnect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: connect from localhost[127.0.0.1]
Apr 22 10:00:02 myDNSsvr postfix/smtpd[21417]: disconnect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: connect from localhost[127.0.0.1]
Apr 22 10:03:02 myDNSsvr postfix/smtpd[21423]: disconnect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: connect from localhost[127.0.0.1]
Apr 22 10:06:02 myDNSsvr postfix/smtpd[21427]: disconnect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: connect from localhost[127.0.0.1]
Apr 22 10:09:02 myDNSsvr postfix/smtpd[21429]: disconnect from localhost[127.0.0.1]

Thanks
WestezAsked:
Who is Participating?
 
WizRd-LinuxCommented:
A1. Because you dont' have allow-update { 1.1.1.1; }; in your configuration, hence allowing updates to the reverse dns records it spits out this error.  No big deal it can be ignored.

A2.  See A1 with the addition of you can stop the updates with the checkpoint firewall if this isn't your external DNS server and only used internally.

A3. DNS poisoning attacks, comment out the line "query-source port 53;" in /etc/bind/named.conf.options or remove it and restart named/bind9.

A4. Postfix - Check out postqueue taking a guess you have mail sitting in a queue that needs to be delivered, you can either delete the email or you can change postfix's configuration to reject it instead of soft bouncing it.

0
 
WestezAuthor Commented:
A lttle more info for you.  This is our primary master dns server, it's the master for 30 or so domains.

A1. Are you saying that I'm allowing updates to the reverse dns records?  And that by adding the zone clause allow-update 1.1.1.1 to the zone file for our domain I can stop these messages?

A2. This is our primary external DNS server.  
Regarding both A1 and A2 I don't want to allow any dynamic updates.  I would like to get rid of lines\messages in my syslog file though.

A3.  Has been commented out.

A4. doesn't refer to the postfix, that's A5, but thanks for schooling me on this point.

Any thoughts on A4?  
0
 
WestezAuthor Commented:
I've got this sorted out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.