Strange entries in /var/log/messages
 

I've recently changed my server control panel to Webmin and my /var/log/messages is filling up with hundreds of entries like this :

I've not seen these before so a) should I be worried and b) can I block the requests via iptables or similar or should I just let the log file fill up ? The IP address changes from time to time so I would need to block using a string rather than just deny the IP address. I'm using CentOS 5.7

@ Reply
 

Hi PlymWS,

Questions for you:

1. Is this your public DNS server?
2. Is your DNS server is configured to perform recursive queries?
3. Did you change anything else other than the change related to Webmin.
4. How frequently do you see these messages.
5. Are they from specific IP range or from different IP range.

I don't think it's much to worry about unless your server is a 'public' DNS server
It's just telling you that "client 95.108.156.1" wanted to use your DNS to get the "ns1.game-ion.com" and "ns2.game-ion.com" domain information (IP addr, etc.).
So if your server is Master for this domain and public, then it's something wrong configured (your /var/named.conf file) not allowing to see domain information.

Thanks for your replies.

To answer the questions I did an install of Webmin & Virtualmin on a clean CentOS 5.7 install and then simply set a website up. Everything else is standard as Webmin installs it which is why I was a little concerned seeing these messages.

The messages were appearing every minute or two and didn't come from a specific IP range they were all over the place, with some even linking back to a block of IPs that reverse DNS back to Microsoft.

I've stopped the named service which has, obviously, stopped the messages but I would like a "better" solution to this tbh.

* First of all please realize that running a web-based management panel is purely convenience: it will never replace theoretical knowledge and practical admin experience.
- You don't need to run a DNS server unless you handle being authoritative one for one or more domains yourself. (And if you are also please understand what you are running, know a PTR from an A or AAAA record, invest in hardening and consider running two slaves in independent networks for redundancy reasons.)
- If you run a DNS server for caching responses only it should not be publicly accessible.

In your BIND configuration file, in the logging section, add a line "category lame-servers { null; };" and restart BIND to see if lame delegation messages disappear: