From owner-freebsd-ports  Mon Feb 17 18:18: 4 2003
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9433737B401; Mon, 17 Feb 2003 18:18:03 -0800 (PST)
Received: from agena.meridian-enviro.com (thunder.meridian-enviro.com [207.109.234.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 56FD543F75; Mon, 17 Feb 2003 18:18:01 -0800 (PST)
	(envelope-from rand@meridian-enviro.com)
Received: from bemidji.meridian-enviro.com (bemidji.meridian-enviro.com [192.168.0.10])
	by agena.meridian-enviro.com (8.11.6/8.11.6) with ESMTP id h1I2Hxf56559;
	Mon, 17 Feb 2003 20:17:59 -0600 (CST)
	(envelope-from rand@meridian-enviro.com)
Date: Mon, 17 Feb 2003 20:17:57 -0600
Message-ID: <873cmmpc16.wl@bemidji.meridian-enviro.com>
From: "Douglas K. Rand" <rand@meridian-enviro.com>
To: freebsd-security@freebsd.org, freebsd-ports@freebsd.org
Subject: FireDNS and net.inet.udp.log_in_vain
User-Agent: Wanderlust/2.10.0 (Venus) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.4 MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd)
X-Face: $L%T~#'9fAQ])o]A][d7EH`V;"_;2K;TEPQB=v]rDf_2s%<d5}=?&`PeE)<@]
        fT6ejN-VVK,Fej'k6570?"R$}bLKm84G-S?"!F8vaZ*8h}mM;@Xs%\I@8p8Rc
MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen")
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

I've been playing with MessageWall on one of our systems, and I
noticed that we've been getting a lot of messages like:

  Connection attempt to UDP <our-ip>:<port-above-1024> from <ip-addr-in-resolv.conf>:53

in our logs. I have log_in_vain="YES" in my /etc/rc.conf, which sets:

   net.inet.tcp.log_in_vain: 1
   net.inet.udp.log_in_vain: 1

After a little work with tcpdump, these are queries of the black hole
lists (openrbl.org) that MessageWall does. For speed (and security?),
MessageWall uses the FireDNS library to do DNS queries. After a little
more digging, I found that I can reproduce these messages by using the
fdnsip command that comes with FireDNS.

Everything seems to work just fine, the queries work, and return what
you expect.

It seems that I can virtually eliminate these messages by removing all
but one host from my /etc/resolv.conf, not a solution that I'm keen
on.

Has anybody else noticed this, and is there a solution other than
"Ignore those log messages" or "Unset net.inet.udp.log_in_vain"? (Both
of these solutions /are/ fairly reasonable.)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message