Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 May 2000 22:01:30 -0500 (CDT)
From:      Gene Harris <zeus@tetronsoftware.com>
To:        freebsd-questions@freebsd.org
Subject:   Named NOTIFY strangeness
Message-ID:  <Pine.BSF.4.21.0005212157560.9775-100000@ns1.tetronsoftware.com>
next in thread | raw e-mail | index | archive | help 
I am noticing some stangeness whenever I start or restart my named daemon:
/usr/sbin/named -u bind -g bind.  I am running 3.4-stable updated Friday,
cvsup'ed Friday, May 20th.  Bind is 8.2.2-P5.

The messages log file shows the following:
[normal stuff snipped]

May 21 16:01:49 ns1 named[8926]: Sent NOTIFY for "blahblah.com IN
SOA" (blahblah.com); 1 NS, 1 A

May 21 16:02:03 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369
115.119.98.99:53 out via xl0

May 21 16:02:03 ns1 natd[288]: failed to write packet back (Permission denied)

May 21 16:02:07 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369
115.119.98.99:53 out via xl0

May 21 16:02:07 ns1 natd[288]: failed to write packet back (Permission denied)

The notification should be sent to my slave name server at xx.yy.zz.11, but
instead is attempting to notify 115.119.98.99.  Fortunately, my firewall rules
don't like this connection and reject it.  My question is, what the heck is
going on?  I just rebuilt world this weekend (normal cycle for me), and named
appears to be correct (not substituted by a root kit version.)  I have been
reading about poisoned caches, etc., but "ndc restart" does not appear to be
clearing my cache.

Prior to Friday morning, May 19, 2000 about 04:00 hours CDT, everything was 
normal.  Can someone point me in the right direction?  I assume my DNS cache
has been corrupted, because my little site was hit by some sort of DNS attack
about 10 minutes before the time given above.

Many Thanks!
Gene Harris

         Tetron Software, LLC
    http://www.tetronsoftware.com
FreeBSD  Apache  PostgreSQL  Oracle 8/8i
Windows 95/98/NT  Visual C  Visual Basic




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005212157560.9775-100000>