When this message happens name service times out.

Cinense, Mark macinen at sandia.gov
Tue May 9 16:51:59 UTC 2000


Sorry Jim,

	Running Bind 8.2.2-P5 on Solaris 7.  If this machine is an internal
machine, and port 53 is restricted to only this and one other nameserver,
could this cause this to happen?  There are other nameservers in our
network, however they have no outside access.  Also the other nameservers
are forwarding outside requests to this machine.  What should I do?

Mark

		-----Original Message-----
		From:	Jim Reid [mailto:jim at rfc1035.com]
		Sent:	May 09, 2000 10:37 AM
		To:	Mark Cinense
		Cc:	bind-users at vix.com
		Subject:	Re: When this message happens name service
times out. 

		>>>>> "Mark" == Cinense, Mark <macinen at sandia.gov> writes:

		    Mark> Greetings all, About a month ago we upgraded our
10mb NIC to
		    Mark> a 100mb NIC on a SPARC 5 270mhz with 96mb of
memory.  Our
		    Mark> environment is about 8500 + machines, that
includes the
		    Mark> servers.

		Shame you forgot to tell us what version of BIND you're
running.

		    Mark> I have a script that runs daily via cron, and its
		    Mark> job is to gather statistics on the nameserver.
This script
		    Mark> also restarts named by getting the named.pid info,
and doing
		    Mark> a kill -ILL on that pid.

		Please get out of the habit of sending signals to the name
server to
		make it do things. Use ndc and have it talk to the name
server via a
		UNIX domain socket. What happens if the next BIND release
does
		something different with SIGILL or even decides not to catch
it any
		more? Or what if named.pid has the wrong process number?

		    Mark> Well after the upgrade of the
		    Mark> NIC's, I am now getting this message in my message
log.

		    Mark> May 9 07:50:20 ns4 named[22455]: refused query on
non-query socket from [134.253.93.44].2072 
		    Mark> May 9 07:50:20 ns4 named[22455]: refused query on
non-query socket from [134.253.22.3].53

		These messages should be self-explanatory. A query with
source IP
		address 134.253.22.3 and port number 53 - presumably a name
server? -
		was sent to a socket that your name server didn't expect to
get
		queries on. The first log entry shows another of these
queries from
		port 2072 of IP address 134.253.93.44. In BIND8, this
usually happens
		when queries are sent to the random UDP port the server uses
when it
		makes queries. Nothing should be sending queries to that
port which is
		why the error messages are generated. You'll need to find
out what
		these hosts are up to and why they're sending queries to a
socket that
		isn't used for incoming requests. Maybe someone is port
scanning from
		these addresses?




More information about the bind-users mailing list