Unapproved query

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Wed Apr 24 19:03:26 UTC 2002


Steve <smallpond at juno.com> wrote:

> My firewall acts as a split-horizon nameserver for the internal
> network.  The local machines use it for DNS, but no outside
> records should point to it.  However, I'm getting hundreds of
> log messages like:

"Running a 'split-horizon' nameserver" , does that mean that
you are authorative for some zone on Internet ? Or does
your ISP handles all DNS for your domain / network ?


> Apr 24 08:46:14 firewall named[1511]: unapproved query from
> [207.46.238.97].4713 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:46:15 firewall last message repeated 2 times
> Apr 24 08:47:19 firewall named[1511]: unapproved query from
> [207.46.150.16].34336 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 08:47:20 firewall last message repeated 2 times
> Apr 24 09:25:12 firewall named[1511]: unapproved query from
> [207.46.238.102].64930 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:25:13 firewall last message repeated 2 times
> Apr 24 09:26:18 firewall named[1511]: unapproved query from
> [207.46.150.13].2900 for "xxx.xxx.xxx.xxx.in-addr.arpa"
> Apr 24 09:26:19 firewall last message repeated 2 times

If you _are_ authoritative for your in-addr.arpa range you are
supposed to answer those queries. The queries could be a result
of your users browsing webservers on msn ( and the servers wanting
to log your real names)

> The 207 addresses all seem to be in msn or msnbc.  I'm guessing
> someone is
> spoofing the source so that my REJECT messages go back to MS and 
> cause them problems?  I don't think I did anything to get Bill G mad
> at me, except for that unlicensed copy of Excel.

> What I'm thinking of doing is adding an ipchains rule like:

> ipchains -A input -j DENY -p tcp -d xxx.xxx.xxx.xxx:42 -i eth1

There is a reason that they ask your server. Have you thought of
that ? 

> so that the requests will drop silently.  Since I've never written
> an ipchains rule before, I thought I'd ask if anyone has done this?
> Better solution?

> Oh, firewall is Linux 2.2.12-20, bind is 8.2.2_P7  (yeah, I know, I 
> haven't had a chance, yet, OK?).

> Thanks,
> Steve


-- 
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
	   Remove "icke-reklam" and it works.


More information about the bind-users mailing list