Help understanding lame server error

Scott Haneda talklists at newgeo.com
Thu Nov 20 08:45:26 UTC 2008


On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
> Scott Haneda wrote:
>> I have a good deal if lame server errors in my logs, which I am not  
>> entirely understanding.
>>
>> 19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving  
>> '170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):  
>> 209.234.64.192#53
> 73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com  
> (address 209.234.64.192), but that nameserver is not responding  
> authoritatively for the zone. This is referred to technically as  
> being "lame".
>
> Fortunately one of the other delegated nameservers  
> (storm.weather.net) *is* responding authoritatively. So the zone is  
> not completely broken. But named is logging this as a warning. You  
> can configure logging to ignore these lame-server conditions.

Generally I want to know, as there are cases where I mess up, and  
something bad happens.  I watch the logs, and know to fix it.  So I am  
not so much minding the data in my logs, but more just wanting to  
understand what is causing these lookups.

>> 19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.48.20#53
>> 19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving  
>> '221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):  
>> 209.43.20.115#53
>> 19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.52.20#53
>> 19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving  
>> '127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):  
>> 209.183.48.21#53
> I assume, without looking, that the causes for these are similar to  
> the example above.

Yes, I have thousands of these entries.  I usually use another NS to  
point my email server to, that one has become a little flakey, so I  
moved to using my own local NS on the same machine as the email server.

>> My server is not allowing recursions, other than to localnets.  
>> about the only thing hitting it is an email server. So I am not  
>> clear on why these lookups are happening, or why they are coming  
>> from all these other IP's
> Most email software these days, as a default, performs reverse- 
> lookups of connecting client addresses as a form of spam detection  
> (because it's common knowledge that spammers are genetically  
> incapable of populating reverse records). It is thus perfectly  
> normal to see a lot of reverse-lookup traffic from email servers.

Correct, but that is what is strange.  I am very familiar with my  
email sever, and I am not doing reverse PTR record checking.  I am of  
course using some DNSBL's and DNSWL's as well, but no reverse checking.

Further, I have allowed only localnets to check recursively on this  
NS.  I know my IP range, and what machines would be hitting it.

> BTW, if you want to determine where all of these reverse lookups  
> were coming from, you could just turn on query logging. Why guess  
> when you can tell for sure?

This is the core of my question, maybe someone can point me to docs,  
or help me understand a log line.  In the example above, I see field 1  
is the date, field 2 is the time, field 3 looks like the error  
description, field 4 is the level, and then there are the rest of the  
bits.  However, I thought the last part, was an IP and a port, telling  
me, that IP, asked on port 53, for a lookup of my server.  So in this  
case, why do I need to look at the query log, when I believe, this log  
tells me who is doing the lookup.

If this really was the email server doing this lookup, all the lines  
should share the same IP in common.  So let's assume that for a  
second, this is a reverse record lookup, that means my email server is  
asking of my NS for a record/response.  Should I not see my IP in  
those log lines?

Here is another example, I think not a reverse lookup for sure:
20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving  
'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53

Doesn't that mean that 195.178.32.2 requested a lookup from my NS for  
szi.szi.sv.gov.yu?  I have an email server, and a bunch of web  
servers, the web servers do not have DNS lookups on, so those are not  
asking anything of my DNS server.  The only thing that should be, is  
the email server, but that is not adding up, since I do not have  
reverse lookup checking enabled.

I can think of one thing, which is my web stats server, which I would  
think, does resolve IP's to host names, in order to show a report of  
what domains are going to websites.  That being said, I would think,  
that I should see the source of the query IP in the lame server log  
line.

Is there a way to log the client IP on that line?

Thanks
--
Scott




More information about the bind-users mailing list