DNS Problem, Please Help!

Mark_Andrews at iengines.com Mark_Andrews at iengines.com
Mon Nov 1 20:21:06 UTC 1999 

	Upgrade to BIND 8.2.2, you are suffering a DoS attack which
	stalls the server long enough (120 seconds) for the clients
	to time out.

	Mark

> >>>>> "Eddie" == Eddie Kimura <edkimura at pacbell.net> writes:
> 
>     Eddie> I am currently experiencing a problem with BIND 8.2.1 on a
>     Eddie> Redhat Linux 6 server at my company. I am reviewing the log
>     Eddie> files and seeing a large amounts of errors in it. At the
>     Eddie> same time i am getting a number of users complaing about
>     Eddie> not being able to connect to various servers on our
>     Eddie> network.  It seems like the error occurs every minute or so
>     Eddie> and reportly occurs at various areas of our network. I was
>     Eddie> wondering if theres a bug in BIND, Linux, or if theres any
>     Eddie> problem at all. The server is very lightly loaded and is
>     Eddie> connected to a 100Mbps Cisco Switch. The error messages are
>     Eddie> shown below...
> 
>     Eddie> poseidon named[357]: ns_req: sendto([159.21.48.73].4333): Connecti
> on refused
>     Eddie> 
>     Eddie> poseidon named[357]: ns_req: sendto([159.21.4.25].2907): Connectio
> n refused 
>     Eddie> poseidon named[357]: ns_req: sendto([159.21.40.34].2926): Connecti
> on
> refused 
>     Eddie> poseidon named[357]: ns_req: sendto([159.21.19.69].3529): Connecti
> on refused
> 
> This is weird. Your name server is trying to send queries to port 4333
> at IP addresss 159.21.48.73 and the TCP/IP stack at that address is
> returning ECONNREFUSED "Connection refused" errors. This usually
> happens when data gets sent to a port number that isn't in use.  So it
> looks as if something has sent a query from port 4333 on 159.21.48.73
> - and port 2907 on 159.21.4.25, etc - and the reply from your name
> server got rejected. Either the thing at the far end has gone away
> before the reply came back or else the OS on 159.21.48.73 has decided
> for some reason that port 4333 is not in use.
> 
> It might be an idea to turn on query logging on your name server and
> find out what queries are being sent. This might identify the source
> of the problem. Snooping on the wire as the DNS traffic might also be
> a help.
> 
> It doesn't look like there's a problem with your name server. If it
> was sending queries to these addresses, they would be going to port
> 53, the default for DNS service.
> 
> When did you first notice the problem and can you correlate that with
> any other changes that have been made, particularly on the IP
> addresses that get reported in the name server's logs?
> 
> 
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list