Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Feb 2003 23:55:10 -0500
From:      Scott Lambert <lambert@lambertfam.org>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: FireDNS and net.inet.udp.log_in_vain
Message-ID:  <20030218045510.GC44928@laptop.lambertfam.org>
In-Reply-To: <871y26p8fe.wl@bemidji.meridian-enviro.com>
References:  <873cmmpc16.wl@bemidji.meridian-enviro.com> <20030218032338.GA32867@rot13.obsecurity.org> <871y26p8fe.wl@bemidji.meridian-enviro.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Feb 17, 2003 at 09:35:49PM -0600, Douglas K. Rand wrote:
> Doug> Has anybody else noticed this, and is there a solution other
> Doug> than "Ignore those log messages" or "Unset
> Doug> net.inet.udp.log_in_vain"? (Both of these solutions /are/ fairly
> Doug> reasonable.)
> 
> Kris> log_in_vain means "log all connection attempts".  And that's
> Kris> precisely what it's doing :-) Turn it off or filter it if you
> Kris> don't actually want to see ALL connection attempts.
> 
> I hate to be contrary, but.... Thats not what /etc/defaults/rc.conf
> says:
> 
>    log_in_vain="0"                 # >=1 to log connects to ports w/o listeners.

<snip>blah, blah, blah</snip>

FireDNS is may be kicking off a DNS query to each of the name servers
listed in your /etc/resolve.conf.  Then it stops listening for other
responces when the first responce is heard.  Therefore the port(s) that
were used for the other initial DNS quer(y|ies) are closed by the time
the DNS servers actually respond.

This can happen if the DNS server responds after the resolver has timed
out.  Which could also be the case in your situation.  This happens
regularly when your link to the DNS server is full when you submit the
query.

If you don't like to see them, filter syslog lines for connection
attempts originating from any of your name servers on port 53.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert@lambertfam.org      

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030218045510.GC44928>