What's this site doing in var/log/messages ?

newe1344

New Member
So I have a site that seems to continually get denied from my server...I think. I'm not really sure how to interpret the messages in var/log/messages. Here is a typical line:
Code:
Apr 13 00:17:19 host named[13353]: client 74.125.44.94#56221: query (cache) 'www.socecoturismo.com/AAAA/IN' denied
Anyone know what this means? I have four log files mostly full of this message from the same site with different IP addresses. Is this something I should be concerned about?

Thanks,
MIke
 

Dan

Moderator
Hey Mike,

I can't say that I've seen that particular error but if I were to guess I would say that it is happening because someone is trying to do something they shouldn't ;)
 

mylinear

Member
I believe a request is being made to your nameservers from that IP address to resolve that domain and your nameservers are denying the request since your nameservers are not authoritative for that domain.
 

newe1344

New Member
Thanks

Do you know if there is anyway to stop this nameserver problem? I was hoping it would just go away on its own once enough people had resolved to another nameserver...

But it continues to fill my log files. Thanks for your time on this.

Mike
 

mylinear

Member
Although filling the logfile, it shows that your nameservers are setup corectly not to allow unauthorized queries, so that is a good thing.

If the queries are from the same IP address, maybe you can block that IP at the firewall level so it cannot connect to your server at all.

Or you may need to see if there is a setting in the configuration file for the nameserver which will allow you to stop logging such error messages.

I don't know if there is an easier way. Maybe you can submit a ticket to support and see if they have a suggestion. Let us know if you get a solution.
 

newe1344

New Member
Solution...kinda

I haven't been able to figure out how to stop the messages yet, but after doing alot of research online, I did find:
http://www.webhostingtalk.com/showthread.php?t=872302
Talking about the same issue. It's suggested on that forum to edit the /etc/named.conf file under the "logging" section.

I'm going to keep looking, however, it's a relief to find out that these messages are actually coming from a CORRECT server configuration. I tend to make server configurations, incorrect most of the time...so this is nice to hear.

Interesting, I've had all incoming tcp ports blocked to everyone but a few IPs for a long time now, the only incoming UDP port I allow is 53. Are the connections coming in on port 53 then? I only ask because the last time I blocked incoming udp port 53, it locked me out, even though I was using a whitelisted IP. Here's what I found on port 53:

TCP is used for "zone transfers" of full name record databases, while UDP is used for individual lookups. Security Concerns: Zone Transfers give away entire network maps; high value to attackers. – DNS (BIND) is a popular target, since DNS servers must exist, must be reachable, and exploits usually result DOS or root.
from this site:
http://www.auditmypc.com/port/udp-port-53.asp

They advise to keep your BIND patches up to date, and use split-DNS.

So back to the original discussion, my guess is, if its important to you not to fill your messages log with this type of entry, you should edit named.conf:

logging {
category lame-servers { null; };
};
and it won't post the entry anymore. However, I've decided I will probably leave these messages in there, that way, if my configuration ever stops working, I will know. Thanks for your help on this everyone.:)
 
Top