Unapproved query
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Wed Apr 24 19:03:26 UTC 2002
Steve <smallpond at juno.com> wrote:
> My firewall acts as a split-horizon nameserver for the internal
> network. The local machines use it for DNS, but no outside
> records should point to it. However, I'm getting hundreds of
> log messages like:
"Running a 'split-horizon' nameserver" , does that mean that
you are authorative for some zone on Internet ? Or does
your ISP handles all DNS for your domain / network ?
> Apr 24 08:46:14 firewall named[1511]: unapproved query from
> [207.46.238.97].4713 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:46:15 firewall last message repeated 2 times
> Apr 24 08:47:19 firewall named[1511]: unapproved query from
> [207.46.150.16].34336 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:47:20 firewall last message repeated 2 times
> Apr 24 09:25:12 firewall named[1511]: unapproved query from
> [207.46.238.102].64930 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:25:13 firewall last message repeated 2 times
> Apr 24 09:26:18 firewall named[1511]: unapproved query from
> [207.46.150.13].2900 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:26:19 firewall last message repeated 2 times
If you _are_ authoritative for your in-addr.arpa range you are
supposed to answer those queries. The queries could be a result
of your users browsing webservers on msn ( and the servers wanting
to log your real names)
> The 207 addresses all seem to be in msn or msnbc. I'm guessing
> someone is
> spoofing the source so that my REJECT messages go back to MS and
> cause them problems? I don't think I did anything to get Bill G mad
> at me, except for that unlicensed copy of Excel.
> What I'm thinking of doing is adding an ipchains rule like:
> ipchains -A input -j DENY -p tcp -d xxx.xxx.xxx.xxx:42 -i eth1
There is a reason that they ask your server. Have you thought of
that ?
> so that the requests will drop silently. Since I've never written
> an ipchains rule before, I thought I'd ask if anyone has done this?
> Better solution?
> Oh, firewall is Linux 2.2.12-20, bind is 8.2.2_P7 (yeah, I know, I
> haven't had a chance, yet, OK?).
> Thanks,
> Steve
--
Peter Håkanson
IPSec Sverige (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
Remove "icke-reklam" and it works.
More information about the bind-users
mailing list