Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I do not have any forwarding turned on. Is this BIND trying to forward to some other dns server, or is there a machine on the network trying to go to this ip address. IF there is a machine doing it, how can I get the 'offending' machine's ip address?
Probably pair.com DNS server malarky. What happens if you add the "lame-servers" directive to your named.conf (restart named)?
how can I get the 'offending' machine's ip address?
You could run tcpdump on the DNS server. Say you serve requests on eth2 for clients from subnet 10.144.122.0/24: "tcpdump -w /var/log/tcpdump.pcap -i eth2 -n -nn -v src 10.144.122.0 and port 53". Note this turns on ethernet device promiscuous mode. Also note if you don't like to sniff as root use "-U". BTW, if you want to resolve addresses for localnet purposes and have a persistent cache of resolved addresses you don't need to run Named with all its dependencies: check out Pdnsd.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Perhaps pair.com is refusing to resolve queries for spam and/or spyware domains? It seems like your TCP (wtf am I smoking? dns doesn't use TCP for short queries) connection may have been rejected for that request, or pair might have patched their DNS servers to allow for specific queries to be refused.
Any way, it looks like a machine on your network is probably infested with spyware and it's trying to resolve "www.specialoffersnetworks.com". When your nameserver does the recursive lookup, the nameserver at PAIR is refusing it. ns3.pair.com is listed as the first nameserver in the whois record for specialoffersnetworks.com. That is 18.104.22.168. I'm getting a SERVFAIL even trying to lookup their SOA record. Iiiinnnnnnnteresting.
Wow... I appreciate all the responses. What I have done so far is add the query logging. I will try tcpdump afterwards if I do not get anywhere. I know it has to be some user on our network with some sort of adware on their machine. I am just looking for which one. We do have a couple of habitual offenders...