-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-25 at 21:27 +0100, G.T.Smith wrote:
Why the OP gets 5 rcode entries and me two (before the lame error) might have to do with the number of forwarders in his definition. The first block in my case corresponds to the forwarders, the second I don't know; in any case, they are DNS servers my daemon interrogated. But the culprit one is that of the atacckers, not any dns in our side.
My DNS is purely a cache DNS and is only authoritative for local address space and is not that busy.
like mine.
I do not see the above after making the host query (though the dns logs do not seem to have been updated for quite some time and I have not made any changes the configuration in this respect for one hell of a long time, so this something I need to check).
Because I have this entry in /etc/named.conf: logging { channel lame_errors { file "/var/lib/named/log/named-lame-servers" versions 2 size 200k; severity debug 3; print-severity yes; print-time yes; }; category lame-servers { lame_errors; }; };
My DNS logs are also directed to the main log files and nothing shows up there. My firewalling is done at the DSL router (I tend to prefer not to have front line firewalling on a machine that is providing other services), the DSL modem relays external DNS requests (no local machine directly contacts the ISPs DNS servers). There was a serious pause for the first request for the address but subsequent request were rejected quite quickly....
More or less the same here.
In this case, the fails are legitimate rejections... of the other four one has to ask why are these asked again (and again) in the original case when they either broken or do not want to talk...
It must have to do with the response given by the DNS server that makes our side to think that the answer is not definitive and that another server may think different.
I would also ask are these addresses defined as the forwarding servers. If both you and the original poster are both running a full DNS server this would suggest that queries to the address space quoted is being re-directed to an address of a server which the referrer believes can handle this address space (it is a long time since I read the relevant RFCs and I cannot remember how this bit is supposed to work so I am probably way off beam here ). These referrals seem to be broken hence the DNS error reports...
Mine asks first my ISP DNS servers, then the root servers. Ie, I have "forward first".
This would tend to imply that the initial ftp query is not an attack on the ftp accounts concerned but an attempt to attack the DNS itself by firing up a lookup for a dodgy address via a mangled server. I cannot replicate the problem but it might be worthwhile to have a look at the communication involved by those who can
It maybe coincidental and not intentional, but who knows. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGMQT5tTMYHG2NR9URAt+zAKCG9dRXobtrsD3thFPf37dc0jPFigCeLpC0 cHp4Pq0RZPaVTl5gJI1UeLE= =Zhq/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org