Named NOTIFY strangeness
Gene Harris
zeus at tetronsoftware.com
Mon May 22 13:35:33 UTC 2000
I am noticing some stangeness whenever I start or restart my named daemon:
/usr/sbin/named -u bind -g bind. I am running FreeBSD 3.4-stable updated
Friday, cvsup'ed Friday, May 20th. Bind is 8.2.2-P5.
The messages log file shows the following: (after kill -HUP named.pid)
[normal stuff snipped]
May 21 16:01:49 ns1 named[8926]: Sent NOTIFY for "blahblah.com IN
SOA" (blahblah.com); 1 NS, 1 A
May 21 16:02:03 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369
115.119.98.99:53 out via xl0
May 21 16:02:03 ns1 natd[288]: failed to write packet back (Permission denied)
May 21 16:02:07 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369
115.119.98.99:53 out via xl0
May 21 16:02:07 ns1 natd[288]: failed to write packet back (Permission denied)
The notification should be sent to my slave name server at xx.yy.zz.11, but
instead is attempting to notify 115.119.98.99. I do not have an
address 115.119.98.99 in any of my named files in /etc/namedb. Fortunately,
my firewall rules don't like this connection and reject it. My question is,
what the heck is going on? I just rebuilt world this weekend (normal cycle
for me), and named appears to be correct (not substituted by a root kit
version.) I have been reading about poisoned/corrupted caches, etc., but "ndc
restart" does not appear to be clearing my cache.
Prior to Friday morning, May 19, 2000 about 04:00 hours CDT, everything was
normal. Can someone point me in the right direction? I assume my DNS cache
has been corrupted, because my little site was hit by some sort of DNS attack
about 10 minutes before the time given above.
Many Thanks!
Gene Harris
More information about the bind-users
mailing list