More Syslog interpretation

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri Jan 7 06:14:59 UTC 2000 

> Could somebody shed some light on this please? Is it some sort of attack?

	No this is not an attack.

	Named reports errors which prevent it resolving queries asked of it.

	A "Lame server" is one which has been listed as serving a zone but is
	not doing so.  A "Lame server" can also be master server that has
	detected a error when loading.

	Mark

> The 254 address is the ip of the ethernet side of the router. Named was
> restarted just prior or after this time because it seemed to be not
> responding
> 
> Jan  6 23:58:21 ns2 named[810]: Lame server on '254.36.239.209.in-addr.arpa'
> (in '36.239.209.IN-ADDR.ARPA'?): [209.239.47.252].53 'NS.ALABANZA.COM'
> Jan  6 23:58:24 ns2 named[810]: bad referral (ARPA !<
> 47.239.209.IN-ADDR.ARPA)
> Jan  6 23:58:24 ns2 last message repeated 17 times
> Jan  6 23:58:45 ns2 named[810]: refused query on non-query socket from
> [203.41.236.254].5459
> Jan  6 23:58:51 ns2 last message repeated 2 times
> Jan  7 00:00:31 ns2 named[810]: refused query on non-query socket from
> [203.41.236.254].9190
> Jan  7 00:00:37 ns2 last message repeated 2 times
> Jan  7 00:03:50 ns2 named[810]: Lame server on '130.145.96.210.in-addr.arpa'
> (in '145.96.210.IN-ADDR.ARPA'?): [164.124.101.31].53 'nis.dacom.co.kr'
> Jan  7 00:05:23 ns2 named[810]: Lame server on '133.193.54.192.in-addr.arpa'
> (in '193.54.192.IN-ADDR.ARPA'?): [192.93.0.4].53 'NS2.NIC.FR'
> Jan  7 00:07:55 ns2 named[810]: ns_forw: query(150.37.250.128.in-addr.arpa)
> NS points to CNAME (MUWAYA.ITS.UNIMELB.EDU.AU:)
> Jan  7 00:27:24 ns2 named[810]: Lame server on '3.1.101.149.in-addr.arpa'
> (in '101.149.IN-ADDR.ARPA'?): [38.8.93.2].53 'SEC2.DNS.PSI.NET'
> Jan  7 00:27:25 ns2 named[810]: Lame server on '3.1.101.149.in-addr.arpa'
> (in '101.149.IN-ADDR.ARPA'?): [38.8.92.2].53 'SEC1.DNS.PSI.NET'
> Jan  7 00:40:50 ns2 named[810]: Lame server on '2.110.13.12.in-addr.arpa'
> (in '110.13.12.IN-ADDR.ARPA'?): [12.127.16.70].53
> 'dmtu.mt.ns.els-gms.att.net'
> Jan  7 00:40:50 ns2 named[810]: Lame server on '2.110.13.12.in-addr.arpa'
> (in '110.13.12.IN-ADDR.ARPA'?): [199.191.128.106].53
> 'dbru.br.ns.els-gms.att.net'
> Jan  7 00:50:42 ns2 named[810]: Lame server on '5.184.253.204.in-addr.arpa'
> (in '184.253.204.IN-ADDR.ARPA'?): [137.39.1.3].53 'NS.uu.net'
> Jan  7 00:53:49 ns2 named[810]: Cleaned cache of 11 RRs
> Jan  7 00:53:49 ns2 named[810]: USAGE 947166829 947163229 CPU=0.47u/0.22s
> CHILDCPU=0u/0s
> Jan  7 00:53:49 ns2 named[810]: NSTATS 947166829
> 947163229A=89SOA=12PTR=346ANY=1
> Jan  7 00:53:49 ns2 named[810]: XSTATS 947166829 947163229 RR=612 RNXD=7
> RFwdR=324 RDupR=2 RFail=4 RFErr=0 RErr=0 RAXFR=0 RLame=8 ROpts=0 SSysQ=224
> SAns=207 SFwdQ=245 SDupQ=72 SErr=0 RQ=466 RIQ=0 RFwdQ=0 RDupQ=4 RTCP=18
> SFwdR=324 SFail=0 SFErr=0 SNaAns=8 SNXD=10
> 
> 
> 
> 
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list