LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-11-2006, 08:06 AM   #1
buggabill
Member
 
Registered: Jun 2006
Location: Maine, USA
Distribution: Kubuntu 8.10/Debian Lenny
Posts: 30

Rep: Reputation: 15
BIND 9 Logging Question


I am running BIND9 on a Debian machine as a local caching server.

Logcheck is returning numerous counts of this:

Dec 11 06:44:36 carmine named[25566]: unexpected RCODE (REFUSED) resolving 'www.specialoffersnetworks.com/A/IN': 209.68.1.15#53

I do not have any forwarding turned on. Is this BIND trying to forward to some other dns server, or is there a machine on the network trying to go to this ip address. IF there is a machine doing it, how can I get the 'offending' machine's ip address?
 
Old 12-11-2006, 10:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Probably pair.com DNS server malarky. What happens if you add the "lame-servers" directive to your named.conf (restart named)?


how can I get the 'offending' machine's ip address?
You could run tcpdump on the DNS server. Say you serve requests on eth2 for clients from subnet 10.144.122.0/24: "tcpdump -w /var/log/tcpdump.pcap -i eth2 -n -nn -v src 10.144.122.0 and port 53". Note this turns on ethernet device promiscuous mode. Also note if you don't like to sniff as root use "-U". BTW, if you want to resolve addresses for localnet purposes and have a persistent cache of resolved addresses you don't need to run Named with all its dependencies: check out Pdnsd.
 
Old 12-11-2006, 10:43 AM   #3
fur
Member
 
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
To enable bind to log queries, add this to named.conf, and restart it.


Code:
logging {
          channel "querylog" { file "/var/log/bind9-query.log"; print-time yes; };
                    category queries { querylog; };
 
Old 12-11-2006, 11:52 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Perhaps pair.com is refusing to resolve queries for spam and/or spyware domains? It seems like your TCP (wtf am I smoking? dns doesn't use TCP for short queries) connection may have been rejected for that request, or pair might have patched their DNS servers to allow for specific queries to be refused.

Any way, it looks like a machine on your network is probably infested with spyware and it's trying to resolve "www.specialoffersnetworks.com". When your nameserver does the recursive lookup, the nameserver at PAIR is refusing it. ns3.pair.com is listed as the first nameserver in the whois record for specialoffersnetworks.com. That is 209.68.1.15. I'm getting a SERVFAIL even trying to lookup their SOA record. Iiiinnnnnnnteresting.

Last edited by chort; 12-12-2006 at 03:34 PM.
 
Old 12-11-2006, 03:16 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
ns3 doesn't appear synced, ns1 does seem to know the domain though.
 
Old 12-12-2006, 03:30 PM   #6
buggabill
Member
 
Registered: Jun 2006
Location: Maine, USA
Distribution: Kubuntu 8.10/Debian Lenny
Posts: 30

Original Poster
Rep: Reputation: 15
Wow... I appreciate all the responses. What I have done so far is add the query logging. I will try tcpdump afterwards if I do not get anywhere. I know it has to be some user on our network with some sort of adware on their machine. I am just looking for which one. We do have a couple of habitual offenders...

Again, thanks for all the help!
 
Old 12-13-2006, 12:31 PM   #7
buggabill
Member
 
Registered: Jun 2006
Location: Maine, USA
Distribution: Kubuntu 8.10/Debian Lenny
Posts: 30

Original Poster
Rep: Reputation: 15
Found what I was looking for in the logs. Thanks folks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND logging issues - doesn't seem to want to log laggerific Linux - Software 2 10-23-2006 02:08 PM
howto enable logging from BIND 9 on Debian Sarge ? cccc Debian 2 07-07-2005 06:43 PM
BIND - logging file not found buskmann Linux - Networking 5 05-02-2005 11:33 AM
BIND - logging issues thebee Linux - Software 0 06-23-2003 12:20 PM
To 'Bind' or not to 'Bind' that is the question jsurgeson Linux - Newbie 2 03-24-2002 03:10 AM


All times are GMT -5. The time now is 05:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration