Date: Wed, 27 May 1998 16:34:57 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: kbrown@primelink.com, freebsd-isp@FreeBSD.ORG Subject: Re: strange named syslog entries Message-ID: <199805272334.QAA18811@salsa.gv.tsc.tdk.com> In-Reply-To: kbrown@primelink.com "strange named syslog entries" (May 27, 8:56am)
next in thread | raw e-mail | index | archive | help
On May 27, 8:56am, kbrown@primelink.com wrote: } Subject: strange named syslog entries } Time for another round of named syslog entries questions... } } After getting nailed by the latest round of exploit attempts of bind 4.9.3 } I recently upgraded to 8.1.1 and have been watching it very closely. } } Over the past couple of days, I have found the following entries in my } syslog which concern me: } } May 18 02:02:25 ns1 named[4752]: bad referral (29.206.in-addr.arpa !< } 125.29.206.in-addr.arpa) } May 18 02:02:25 ns1 named[4752]: bad referral (29.206.in-addr.arpa !< } 125.29.206.in-addr.arpa) } May 20 21:00:33 ns1 named[4752]: bad referral (com !< INFIND.com) } May 21 15:13:24 ns1 named[4752]: bad referral (com !< INFIND.com) } May 25 01:59:16 ns1 named[4752]: bad referral (83.72.170.38.in-addr.arpa !< } *.170.38.in-addr.arpa) } May 25 02:05:46 ns1 named[4752]: bad referral (2.181.165.38.in-addr.arpa !< } *.165.38.in-addr.arpa) } May 26 08:11:27 ns1 named[4752]: bad referral (ATT.net !< } NS.ELS-GMS.ATT.NET) } May 26 15:03:35 ns1 named[4752]: bad referral (com !< } microsoft-online-sales.com) } } What is the cause of this? Usually this is caused by missing NS records in the zone file at the top of the zone (at the same level as the SOA) on the server that your server queried. Newer versions of BIND will reject these zone files, but older ones will load them and return whatever NS records they find between the top of the zone and the root. BTW, you should upgrade to 8.1.2, since 8.1.1 has some memory leaks and is also has some exploitable bugs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805272334.QAA18811>