DNS Problem, Please Help!
Mark_Andrews at iengines.com
Mark_Andrews at iengines.com
Mon Nov 1 20:21:06 UTC 1999
Upgrade to BIND 8.2.2, you are suffering a DoS attack which
stalls the server long enough (120 seconds) for the clients
to time out.
Mark
> >>>>> "Eddie" == Eddie Kimura <edkimura at pacbell.net> writes:
>
> Eddie> I am currently experiencing a problem with BIND 8.2.1 on a
> Eddie> Redhat Linux 6 server at my company. I am reviewing the log
> Eddie> files and seeing a large amounts of errors in it. At the
> Eddie> same time i am getting a number of users complaing about
> Eddie> not being able to connect to various servers on our
> Eddie> network. It seems like the error occurs every minute or so
> Eddie> and reportly occurs at various areas of our network. I was
> Eddie> wondering if theres a bug in BIND, Linux, or if theres any
> Eddie> problem at all. The server is very lightly loaded and is
> Eddie> connected to a 100Mbps Cisco Switch. The error messages are
> Eddie> shown below...
>
> Eddie> poseidon named[357]: ns_req: sendto([159.21.48.73].4333): Connecti
> on refused
> Eddie>
> Eddie> poseidon named[357]: ns_req: sendto([159.21.4.25].2907): Connectio
> n refused
> Eddie> poseidon named[357]: ns_req: sendto([159.21.40.34].2926): Connecti
> on
> refused
> Eddie> poseidon named[357]: ns_req: sendto([159.21.19.69].3529): Connecti
> on refused
>
> This is weird. Your name server is trying to send queries to port 4333
> at IP addresss 159.21.48.73 and the TCP/IP stack at that address is
> returning ECONNREFUSED "Connection refused" errors. This usually
> happens when data gets sent to a port number that isn't in use. So it
> looks as if something has sent a query from port 4333 on 159.21.48.73
> - and port 2907 on 159.21.4.25, etc - and the reply from your name
> server got rejected. Either the thing at the far end has gone away
> before the reply came back or else the OS on 159.21.48.73 has decided
> for some reason that port 4333 is not in use.
>
> It might be an idea to turn on query logging on your name server and
> find out what queries are being sent. This might identify the source
> of the problem. Snooping on the wire as the DNS traffic might also be
> a help.
>
> It doesn't look like there's a problem with your name server. If it
> was sending queries to these addresses, they would be going to port
> 53, the default for DNS service.
>
> When did you first notice the problem and can you correlate that with
> any other changes that have been made, particularly on the IP
> addresses that get reported in the name server's logs?
>
>
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at iengines.com
More information about the bind-users
mailing list