Results 1 to 7 of 7

Thread: Strange named entries in syslog

  1. #1
    Join Date
    Sep 2006
    Location
    Maryland, USA
    Beans
    260
    Distro
    Ubuntu 12.04 Precise Pangolin

    Strange named entries in syslog

    I was just looking around and did a tail on my syslog and some strange entries came up:

    Code:
    Mar 30 06:30:55 ubuntu named[1101]: error (network unreachable) resolving 'ns.iasi.roedu.net/A/IN': 2001:b30:1:100::100#53
    Mar 30 06:30:55 ubuntu named[1101]: error (network unreachable) resolving 'ns.iasi.roedu.net/A/IN': 2001:b30:1:80::2#53
    Mar 30 06:30:55 ubuntu named[1101]: error (network unreachable) resolving 'www.robtex.com/AAAA/IN': 2001:503:231d::2:30#53
    Mar 30 06:31:06 ubuntu named[1101]: error (network unreachable) resolving 'ns1.u-strasbg.fr/AAAA/IN': 2001:660:3006:4::1:1#53
    Mar 30 06:31:06 ubuntu named[1101]: error (network unreachable) resolving 'ns2.u-strasbg.fr/AAAA/IN': 2001:660:3005:3::1:1#53
    Mar 30 06:31:06 ubuntu named[1101]: error (network unreachable) resolving 'www.isunet.edu/A/IN': 2001:660:2402::1#53
    Mar 30 06:31:06 ubuntu named[1101]: error (network unreachable) resolving 'www.isunet.edu/A/IN': 2001:660:2402::2#53
    Mar 30 06:31:10 ubuntu named[1101]: error (unexpected RCODE SERVFAIL) resolving 'www.kacst.edu.sa/AAAA/IN': 147.28.0.39#53
    Mar 30 06:31:11 ubuntu named[1101]: error (network unreachable) resolving 'internet.kacst.edu.sa/AAAA/IN': 2001:418:1::39#53
    Mar 30 06:31:16 ubuntu named[1101]: error (unexpected RCODE SERVFAIL) resolving 'owa.kacst.edu.sa/A/IN': 147.28.0.39#53
    I'm a Verizon customer in Maryland, USA running Linux at my home and I don't understand why named is looking at servers in France and Saudi Arabia. Am I just being paranoid?
    Impari Systems, Inc
    http://www.imparisystems.com

  2. #2
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Strange named entries in syslog

    Port 53 is for DNS service, are you running a DNS server of any kind?

  3. #3
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Strange named entries in syslog

    depends on your dns provider. what is the output of 'cat /etc/resolv.conf'
    Things are rarely just crazy enough to work, but they're frequently just crazy enough to fail hilariously.

  4. #4
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Strange named entries in syslog

    Are you running a mail server on this machine? I see these often when my server tries to check on spoofed inbound spam.

    Also the "network unreachable" errors all concern IPv6 addresses.

  5. #5
    Join Date
    Sep 2006
    Location
    Maryland, USA
    Beans
    260
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Strange named entries in syslog

    Yes, I am running a DNS on this box - but I get the DNS servers from Verizon (I thought). Here's the contents of my /etc/resolv.conf

    Code:
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.0.1
    search imparisystems.local
    And here's my named.conf

    Code:
    cat named.conf
    include "/etc/bind/named.conf.options";
    // include "/etc/bind/keys";
    
    // prime the server with knowledge of the root servers
    zone "." {
            type hint;
            file "/etc/bind/db.root";
    };
    
    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912
    
    zone "localhost" {
            type master;
            file "/etc/bind/db.local";
    };
    
    zone "127.in-addr.arpa" {
            type master;
            file "/etc/bind/db.127";
    };
    
    zone "0.in-addr.arpa" {
            type master;
            file "/etc/bind/db.0";
    };
    
    zone "255.in-addr.arpa" {
            type master;
            file "/etc/bind/db.255";
    };
    
    include "/etc/bind/named.conf.local";
    Impari Systems, Inc
    http://www.imparisystems.com

  6. #6
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Strange named entries in syslog

    ok. that means that you should only be querying servers listed in your named.conf.options file under the heading "forwarders". those servers may themselves forward (or do messed up things to NX Domain results), so you can't always count on your return traffic originating from the next hop DNS server.

    anyway, the domain exists, but the hosts don't seem to:
    Code:
    Lucid:~$ whois kacst.edu.sa
    % SaudiNIC Whois server.
    % Rights restricted by copyright.
    % http://www.nic.net.sa/tools/copyright.php
    
    Domain Name: kacst.edu.sa
    
     Registrant:
     King Abdulaziz City for Science & Technology مدينة الملك عبدالعزيز للعلوم والتقنية
     Address: ~noAddress  P.O.Box. 6086 ص.ب. 
     11442 Riyadh الرياض
     Saudi Arabia المملكة العربية السعودية
    
     Administrative Contact:
      عبدالله حمود الحبردي (4d47dfa7ce717-sa)
      Address: طريق الملك عبدالله 
      11442 الرياض
      Saudi Arabia
    
     Technical Contact:
      Hamad Al-Sulayem (TEC-1-HS03-SA)
      Address: طريق الملك عبدالله 
      11442 Riyadh الرياض
      Saudi Arabia المملكة العربية السعودية
    
     Name Servers:
      ns1.isu.net.sa
      ns.kacst.edu.sa (212.26.44.3)
      iserv.kacst.edu.sa (212.26.44.4)
      rip.psg.com
    
    Created on: 2000-07-11
    Last Updated on: 2011-02-01
    as you can see, isu.net (isunet.edu) is one of their nameservers.

    so, I think you are fine, as long as you can account for why your PC might be trying to access a domain in Saudi Arabia.
    Things are rarely just crazy enough to work, but they're frequently just crazy enough to fail hilariously.

  7. #7
    Join Date
    Mar 2011
    Location
    127.0.0.1
    Beans
    13

    Re: Strange named entries in syslog

    You didn't show your named options, but I'd guess you're allowing recursion, and people are using you as an 'open recursive' name server. If that is not by design, I would recommend you disable recursion, or at least restrict it to your LAN.

    To disable recursion you simply add this clause to your options statement:
    recursion no;

    More detail here:
    http://www.zytrax.com/books/dns/ch9/close.html

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •