What's this site doing in var/log/messages ?

Discussion in 'Linux VPS/Dedicated - cPanel' started by newe1344, Apr 15, 2010.

  1. newe1344

    newe1344 New Member

    So I have a site that seems to continually get denied from my server...I think. I'm not really sure how to interpret the messages in var/log/messages. Here is a typical line:
    Code:
    Apr 13 00:17:19 host named[13353]: client 74.125.44.94#56221: query (cache) 'www.socecoturismo.com/AAAA/IN' denied
    
    Anyone know what this means? I have four log files mostly full of this message from the same site with different IP addresses. Is this something I should be concerned about?

    Thanks,
    MIke
     
  2. Dan

    Dan Moderator

    Hey Mike,

    I can't say that I've seen that particular error but if I were to guess I would say that it is happening because someone is trying to do something they shouldn't ;)
     
  3. mylinear

    mylinear Member

    I believe a request is being made to your nameservers from that IP address to resolve that domain and your nameservers are denying the request since your nameservers are not authoritative for that domain.
     
  4. newe1344

    newe1344 New Member

    Thanks

    Do you know if there is anyway to stop this nameserver problem? I was hoping it would just go away on its own once enough people had resolved to another nameserver...

    But it continues to fill my log files. Thanks for your time on this.

    Mike
     
  5. mylinear

    mylinear Member

    Although filling the logfile, it shows that your nameservers are setup corectly not to allow unauthorized queries, so that is a good thing.

    If the queries are from the same IP address, maybe you can block that IP at the firewall level so it cannot connect to your server at all.

    Or you may need to see if there is a setting in the configuration file for the nameserver which will allow you to stop logging such error messages.

    I don't know if there is an easier way. Maybe you can submit a ticket to support and see if they have a suggestion. Let us know if you get a solution.
     
  6. newe1344

    newe1344 New Member

    Solution...kinda

    I haven't been able to figure out how to stop the messages yet, but after doing alot of research online, I did find:
    http://www.webhostingtalk.com/showthread.php?t=872302
    Talking about the same issue. It's suggested on that forum to edit the /etc/named.conf file under the "logging" section.

    I'm going to keep looking, however, it's a relief to find out that these messages are actually coming from a CORRECT server configuration. I tend to make server configurations, incorrect most of the time...so this is nice to hear.

    Interesting, I've had all incoming tcp ports blocked to everyone but a few IPs for a long time now, the only incoming UDP port I allow is 53. Are the connections coming in on port 53 then? I only ask because the last time I blocked incoming udp port 53, it locked me out, even though I was using a whitelisted IP. Here's what I found on port 53:

    from this site:
    http://www.auditmypc.com/port/udp-port-53.asp

    They advise to keep your BIND patches up to date, and use split-DNS.

    So back to the original discussion, my guess is, if its important to you not to fill your messages log with this type of entry, you should edit named.conf:

    logging {
    category lame-servers { null; };
    };
    and it won't post the entry anymore. However, I've decided I will probably leave these messages in there, that way, if my configuration ever stops working, I will know. Thanks for your help on this everyone.:)
     

Share This Page