named and SpamAssassin
Mark Andrews
Mark_Andrews at isc.org
Mon Jul 18 02:20:43 UTC 2005
> Barry Margolin wrote:
>
> >>
> >> What does the /NS/IN stand for?
> >
> > NS means it's querying for a NameServer record, and IN means INternet
> > class (just about everything is in this class, so you can pretty much
> > ignore it).
> >
> > So someone was trying to look up the nameservers for the love-walker.com
> > domain. It's pretty unusual for applications to look up NS records
> > explicitly, it mostly comes from troubleshooting utilities.
> >
>
> Jul 17 11:49:20 cpollock spamd[15496]: processing message <20050718014838>
> for chris:501.
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'love-walker.com/NS/IN': 212.118.243.118#53
Looks like name-services.com is not running RFC compliant
nameservers.
The answer below is not correct. It is authoritatively
(aa=1) saying that there are no NS records yet returns the
NS records in the authority section. The NS records should
have been in the ANSWER section. Named has correctly flagged
the answer as being malformed.
; <<>> DiG 9.3.2prerelease <<>> ns +norec love-walker.com @212.118.243.118
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20011
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;love-walker.com. IN NS
;; AUTHORITY SECTION:
love-walker.com. 3600 IN NS dns1.name-services.com.
love-walker.com. 3600 IN NS dns2.name-services.com.
love-walker.com. 3600 IN NS dns3.name-services.com.
love-walker.com. 3600 IN NS dns4.name-services.com.
love-walker.com. 3600 IN NS dns5.name-services.com.
;; ADDITIONAL SECTION:
dns1.name-services.com. 3600 IN A 69.25.142.1
dns2.name-services.com. 3600 IN A 216.52.184.230
dns3.name-services.com. 3600 IN A 63.251.83.36
dns4.name-services.com. 3600 IN A 64.74.96.242
dns5.name-services.com. 3600 IN A 212.118.243.118
;; Query time: 331 msec
;; SERVER: 212.118.243.118#53(212.118.243.118)
;; WHEN: Mon Jul 18 12:13:07 2005
;; MSG SIZE rcvd: 257
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving 'maziai.com/NS/IN':
> 212.118.243.118#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'neo-celeb.com/NS/IN': 212.118.243.118#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'love-walker.com/NS/IN': 69.25.142.1#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving 'maziai.com/NS/IN':
> 69.25.142.1#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'neo-celeb.com/NS/IN': 69.25.142.1#53
> Jul 17 11:49:26 cpollock spamd[15496]: identified spam (8.5/5.0) for
> chris:501 in 6.2 seconds, 4196 bytes.
>
> Barry, above is the complete syslog entry on this message from when spamd
> was called to the time it was identified as spam. The url's that named is
> attempting to resolve are in the message. However, it seems that not all
> spam messages with url's embeded are being resolved or attempting to.
> Guess its just another mystery of life. Of course it could be Razor,
> Pyzor, DCC or any of the other network checks I run that is actually
> calling named to do this. Its not hurting anything so as you suggested I'll
> just ignore it. I just get curious when I see new things in my syslog.
>
> Thanks
>
> --
> Chris
> Registered Linux User 283774 http://counter.li.org
> 15:12:15 up 22:45, 2 users, load average: 0.66, 0.46, 0.46
> Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> A judge is a law student who marks his own examination papers
> -- H.L. Mencken on Murphy n°1
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list