naive question; using bind behind a firewall
linda w
bind at tlinx.org
Mon Feb 10 00:52:14 UTC 2003
> From: Simon Waters
> Sent: February 03, 2003 03:12a
> The DNS servers listed in this sample are all authoritative for
> the "uk" domain name - I just happen to know this as there is no
> easy way to find out from the list.
>=20
> I can't see off hand why you should get a domain specific issue
> like this arise.
>=20
> Are all the bad packets from the same servers - if so you might
> brave a few seconds of query logging to see what "UK" domain
> names your name server are trying to query. Might point us at
> some broken or crazy domain configurations.
> (BTW: Is tlinx.org suppose to have a web page - as www.tlinx.org
> points to tlinx.org, but tlinx.org has no A record.)
---
No webpage at this time.
Generated a few logs...WAG: something broken in what constitutes a =
session on my FW box...(?) Just showing top 10 entries
to not fill up
message w/logfiles...(zzZZZzz)
Probably not enough to go on yet...at least not for me -- but I don't =
have much bind-problem pattern-space recognition
experience...
The allowed/denied logs go back about a week earlier than the top
query logs, w/the top query logs likely being affected by processing
of the allowed/denied logs.
Note it is not just the UK DNS servers being denied, they just happen =
to be top of the denied list.
Am going to have to narrow down and matchup times a bit -- not
sure if that will tell me more or not. Just seems like some timeout
may be set too low somewhere. As near as I can tell, my DNS session
timeout was 4 seconds (now is 10 seconds). Shouldn't that be long =
enough to wait for a response? The figures below would indicate
most responses falling outside those levels.
-linda
------------------------
Top queries:
51500 90.105.32.154.in-addr.arpa/PTR/IN
51453 74.128.43.158.in-addr.arpa/PTR/IN
48524 130.240.66.195.in-addr.arpa/PTR/IN
46882 131.164.79.217.in-addr.arpa/PTR/IN
10115 102.41.67.200.in-addr.arpa/PTR/IN
9185 123.53.131.80.in-addr.arpa/PTR/IN
8592 178.41.191.207.in-addr.arpa/PTR/IN
4592 112.180.239.155.in-addr.arpa/PTR/IN
2979 30.14.33.192.in-addr.arpa/PTR/IN
2969 30.93.42.192.in-addr.arpa/PTR/IN
Top allowed (outgoing) traffic (any type):
> 239 239 ns.suse.de;
> 238 238 kerberos.suse.cz;
> 40 40 64.83.120.130;
> 33 33 gkws0.informatik.uni-leipzig.de;
> 29 29 hunter.airscorp.com;
> 17 17 m.gtld-servers.net;
> 16 16 xg.mx.aol.com;
> 16 16 160.128-25.139.193.204.in-addr.arpa;
> 15 15 j.root-servers.net;
> 15 15 220.128-25.139.193.204.in-addr.arpa;
Top Denied (incoming):
< 31138 0 sec-nom.dns.uk.psi.net
< 31073 0 ns-nom.pipex.net
< 29586 0 ns1.nic.uk
< 28703 0 ns2.nic.uk
< 2014 0 b.gtld-servers.net
< 1991 0 g.gtld-servers.net
< 1963 0 e.gtld-servers.net
< 1946 0 f.gtld-servers.net
< 1919 0 k.gtld-servers.net
< 1904 0 l.gtld-servers.net
More information about the bind-users
mailing list