When this message happens name service times out.

Tue May 9 16:37:03 UTC 2000

>>>>> "Mark" == Cinense, Mark <macinen at sandia.gov> writes:

    Mark> Greetings all, About a month ago we upgraded our 10mb NIC to
    Mark> a 100mb NIC on a SPARC 5 270mhz with 96mb of memory.  Our
    Mark> environment is about 8500 + machines, that includes the
    Mark> servers.

Shame you forgot to tell us what version of BIND you're running.

    Mark> I have a script that runs daily via cron, and its
    Mark> job is to gather statistics on the nameserver.  This script
    Mark> also restarts named by getting the named.pid info, and doing
    Mark> a kill -ILL on that pid.

Please get out of the habit of sending signals to the name server to
make it do things. Use ndc and have it talk to the name server via a
UNIX domain socket. What happens if the next BIND release does
something different with SIGILL or even decides not to catch it any
more? Or what if named.pid has the wrong process number?

    Mark> Well after the upgrade of the
    Mark> NIC's, I am now getting this message in my message log.

    Mark> May 9 07:50:20 ns4 named[22455]: refused query on non-query socket from [134.253.93.44].2072 
    Mark> May 9 07:50:20 ns4 named[22455]: refused query on non-query socket from [134.253.22.3].53

These messages should be self-explanatory. A query with source IP
address 134.253.22.3 and port number 53 - presumably a name server? -
was sent to a socket that your name server didn't expect to get
queries on. The first log entry shows another of these queries from
port 2072 of IP address 134.253.93.44. In BIND8, this usually happens
when queries are sent to the random UDP port the server uses when it
makes queries. Nothing should be sending queries to that port which is
why the error messages are generated. You'll need to find out what
these hosts are up to and why they're sending queries to a socket that
isn't used for incoming requests. Maybe someone is port scanning from
these addresses?