are these BIND errors....
Barry Margolin
barmar at genuity.net
Thu Jun 28 19:27:29 UTC 2001
In article <9hfvba$3f5 at pub3.rc.vix.com>,
Gary Kline <kline at ns1.thought.org> wrote:
>
>On Thu, Jun 28, 2001 at 02:28:44PM -0400, James A Griffin wrote:
>>
>> Gary Kline wrote:
>> >
>> > On Thu, Jun 28, 2001 at 01:27:51PM -0400, James A Griffin wrote:
>> > > Gary Kline wrote:
>> [snip]
>> > > >
>> > > > Jun 27 22:18:15 tao /kernel: Connection attempt to UDP
>216.39.168.248:53 from 216.136.204.119:53
>> > > > Jun 27 22:18:15 tao /kernel: Connection attempt to UDP
>127.0.0.1:512 from 127.0.0.1:1123
>> > > > Jun 27 22:21:09 tao /kernel: Connection attempt to UDP
>216.39.168.248:53 from 207.224.243.50:53
>> > > > Jun 27 22:21:09 tao /kernel: Connection attempt to UDP
>216.39.168.248:53 from 207.224.243.50:53
>> > > >
>> > >
>> > > No, it is some form of packet filter (firewall) or intrusion detection
>> > > system (IDS) telling you about events. Port 53 is named and port
>> > > 512/udp is biff.
>> > >
>> >
>> > Strange thing is that I have no packet filtering going on
>> > (( at least none that I have installed so far!)).
>> >
>> > What IDS could be reporting thses kind of Connection attempts?
>> >
>>
>> I do not recognize the message format; use 'snort' myself. I thought it
>> might be 'portsentry', but assuming the documentation is accurate, it
>> uses a different format. Could it be from tcpwrappers or the new
>> version (IIRC xinitd)? What operating system are you running?
>>
>
> I just upgraded to FreeBSD 4.3. In named.conf, I have lots of
> logging {} categories set. Probably these attempt messages are
> coming from there. I haven't grep'd thru the BIND9 code...
> yet.
>
They're not coming from BIND at all. The log messages say "/kernel", not
"named". That's why they seem to be related to a packet filter of some
kind.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list