127.0.0.2
Mike Black
mblack at csi-inc.com
Wed Oct 8 13:58:02 UTC 2003
All of a sudden, on Sep 29 05:03:30 (EDT) I started seeing named kicking out UDP requests to 127.0.0.2
My firewall was set up to detect this kind of thing.
Sep 29 05:03:30 picard kernel: FW Egress#2 IN= OUT=lo SRC=127.0.0.2 DST=127.0.0.2 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=0 DFPROTO=UDP SPT=41043 DPT=53 LEN=71
Port 41043 is bound to the named process.
It's still going on (as of Oct 8).
I've been unable to figure out what named is doing to generate this. Can't seem to see the network traffic anywhere using tcpdump.
Here's an strace
09:45:59.295229 sendmsg(24, {msg_name(16)={sin_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.2")}}, msg_iov(1)=[{"
Cn\0\20\0\1\0\0\0\0\0\1\003129\00266\003189\003168\4or"..., 64}], msg_controllen=0, msg_flags=0}, 0) = -1 EPERM (Operation not permitted)
I'm thinking this may related to one of the spam checks going on from sendmail that may be returning 127.0.0.2
FEATURE(dnsbl,`blackholes.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/lookup?$& {client_
addr}')dnl
FEATURE(dnsbl,`relays.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://work-rss.mail-abuse.org/cgi-bin/nph-rss?$& {c
lient_addr}')dnl
FEATURE(dnsbl,`dialups.mail-abuse.org',` Mail from dial-up rejected; see http://mail-abuse.org/dul/enduser.htm')
FEATURE(dnsbl, `dnsbl.njabl.org',`Message from $&{client_addr} rejected - see http://njabl.org/')
FEATURE(dnsbl, `list.dsbl.org',`Message from $&{client_addr} rejected - see http://www.dsbl.org/')
FEATURE(dnsbl, `sbl.spamhaus.org',`Message from $&{client_addr} rejected - see http://www.spamhaus.org/SBL/')
FEATURE(dnsbl, `proxie.relays.monkeys.com',`Message from $&{client_addr} rejected - see http://www.monkeys.com/upl/')
Michael D. Black mblack at csi-inc.com
http://www.csi-inc.com/
http://www.csi-inc.com/~mike
321-676-2923, x203
Melbourne FL
More information about the bind-users
mailing list