naive question; using bind behind a firewall

linda w bind at tlinx.org
Mon Feb 10 00:52:14 UTC 2003


> From:  Simon Waters
> Sent: February 03, 2003 03:12a
> The DNS servers listed in this sample are all authoritative for
> the "uk" domain name - I just happen to know this as there is no
> easy way to find out from the list.
>=20
> I can't see off hand why you should get a domain specific issue
> like this arise.
>=20
> Are all the bad packets from the same servers - if so you might
> brave a few seconds of query logging to see what "UK" domain
> names your name server are trying to query. Might point us at
> some broken or crazy domain configurations.


> (BTW: Is tlinx.org suppose to have a web page - as www.tlinx.org
> points to tlinx.org, but tlinx.org has no A record.)
---
	No webpage at this time.

	Generated a few logs...WAG: something broken in what constitutes a =
session on my FW box...(?)  Just showing top 10 entries
to not fill up
message w/logfiles...(zzZZZzz)

	Probably not enough to go on yet...at least not for me -- but I don't =
have much bind-problem pattern-space recognition
experience...

	The allowed/denied logs go back about a week earlier than the top
query logs, w/the top query logs likely being affected by processing
of the allowed/denied logs.

	Note it is not just the UK DNS servers being denied, they just happen =
to be top of the denied list.

	Am going to have to narrow down and matchup times a bit -- not
sure if that will tell me more or not.  Just seems like some timeout
may be set too low somewhere.  As near as I can tell, my DNS session
timeout was 4 seconds (now is 10 seconds).  Shouldn't that be long =
enough to wait for a response?   The figures below would indicate
most responses falling outside those levels.

-linda

------------------------

	Top queries:
  51500 90.105.32.154.in-addr.arpa/PTR/IN
  51453 74.128.43.158.in-addr.arpa/PTR/IN
  48524 130.240.66.195.in-addr.arpa/PTR/IN
  46882 131.164.79.217.in-addr.arpa/PTR/IN
  10115 102.41.67.200.in-addr.arpa/PTR/IN
   9185 123.53.131.80.in-addr.arpa/PTR/IN
   8592 178.41.191.207.in-addr.arpa/PTR/IN
   4592 112.180.239.155.in-addr.arpa/PTR/IN
   2979 30.14.33.192.in-addr.arpa/PTR/IN
   2969 30.93.42.192.in-addr.arpa/PTR/IN

Top allowed (outgoing) traffic (any type):
>   239 239   ns.suse.de;
>   238 238   kerberos.suse.cz;
>    40 40    64.83.120.130;
>    33 33    gkws0.informatik.uni-leipzig.de;
>    29 29    hunter.airscorp.com;
>    17 17    m.gtld-servers.net;
>    16 16    xg.mx.aol.com;
>    16 16    160.128-25.139.193.204.in-addr.arpa;
>    15 15    j.root-servers.net;
>    15 15    220.128-25.139.193.204.in-addr.arpa;

Top Denied (incoming):
< 31138 0     sec-nom.dns.uk.psi.net
< 31073 0     ns-nom.pipex.net
< 29586 0     ns1.nic.uk
< 28703 0     ns2.nic.uk
<  2014 0     b.gtld-servers.net
<  1991 0     g.gtld-servers.net
<  1963 0     e.gtld-servers.net
<  1946 0     f.gtld-servers.net
<  1919 0     k.gtld-servers.net
<  1904 0     l.gtld-servers.net






More information about the bind-users mailing list