Getting source IP for notify? (9.2.1)

Larry Rosenman ler at lerctr.org
Tue Sep 2 22:36:19 UTC 2003



--On Tuesday, September 02, 2003 18:33:36 -0400 Kevin Darcy 
<kcd at daimlerchrysler.com> wrote:

> Larry Rosenman wrote:
>
>> Since the ISC mailling list subscription page is broken (I've mailed
>> listmaster at isc.org a week ago), can anyone tell me how to get
>> the IP of a site sending me a notify (using bind 9.2.1)?
>>
>> Aug 31 05:21:18 lerami in.named[7737]: received notify for zone
>> '0-26.122.158.207.in-addr.arpa': not authoritative Aug 31 05:21:18
>> lerami in.named[7737]: received notify for zone
>> '0-26.122.158.207.in-addr.arpa': not authoritative Aug 31 08:13:11
>> lerami in.named[7737]: received notify for zone
>> '0-26.122.158.207.in-addr.arpa': not authoritative
>
> I don't think there's any combination of logging options in BIND 9 that
> will reveal this information.
>
> You could always set up a sniffer (hardware or software) to capture the
> NOTIFY packets. With a sufficiently sophisticated sniffer and some
> tinkering, you should be able to limit it to NOTIFY packets (filter on the
> "opcode" field in the header) for that particular zone (filter on the
> contents of the Question Section). If you have no other
> "0-26.{something}" zones for which you're receiving legitimate NOTIFYs,
> you could simply filter on just the first 5 octets of the Question
> Section instead of the while thing, e.g. with "snoop" on Solaris:
>
> snoop udp to port domain and \
>       'udp[10] = 0x24' and \
>       'udp[20] = 0x04' and \
>       'udp[21] = 0x30' and \
>       'udp[22] = 0x2d' and \
>       'udp[23] = 0x32' and \
>       'udp[24] = 0x36'
>
> I've never used tcpdump, but I'm sure it would be fairly easy to
> translate that into a set of tcpdump parameters/filters...
>
> - Kevin
>
>
Hrm.  It would be nice if that information was available via a logging 
option.

I'd like to get the bogus notifies turned off, and the IP generating them 
would
be useful.




-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 972-414-9812                 E-Mail: ler at lerctr.org
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749



More information about the bind-users mailing list