On Thu, Nov 20, 2003 at 10:44:19AM -0800, Cory Petkovsek wrote:
> I'm getting unusual errors from my dns server and firewall relating to
> an invalid private ip. The errors are as follows:
>
> Bind 8 reports:
> Nov 20 09:59:24 mercury named[338]: ns_resp: sendto([10.168.0.11].53):
> Operation not permitted
>
> Netfilter logging reports several instances of this:
> Nov 20 09:59:24 mercury kernel: OUTPUT: IN= OUT=eth1 SRC=64.65.177.82
> DST=10.168.0.11 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=1024 DPT=53 LEN=59
> Nov 20 09:59:24 mercury kernel: OUTPUT: IN= OUT=eth1 SRC=64.65.177.82
> DST=10.168.0.10 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
> SPT=1024 DPT=53 LEN=59
>
> My firewall rules don't allow external connections to the 10.x address
> space. What I suspect is occuring is that some dns server out there has
> an NS record pointing to 10.168.0.11 and .10. One of my clients tries to
> connect to a domain, which goes through the chain to the above NS
> record. Bind 8 tries to look it up, but my firewall rules don't allow
> it.
Regarding the above errors, I finally was able to track it down and
here's how I did it. First I increased the logging of bind by adding
this to the logging {} section of named.conf:
channel my_logging_channel {
file "bind_query.log";
severity info;
};
category queries { my_logging_channel; };
This gave me a /var/cache/bind/bind_query.log that looked like this:
XX+/10.0.0.62/ad.doubleclick.net/A/IN
XX+/10.0.0.62/ad.doubleclick.net.petersen-arne.com/A/IN
(unfortunately no dates, although I could have logged to syslog)
Next I waited and when I saw the error in syslog, I stopped the logging
channel. Then I figured out where in the file the last instance of a
particular site I had gone to that morning was, and deleted everything
prior to it. Now I had a section of 20,000 dns queries, one of which was
likely the culprit.
Doing some `sort`ing and `uniq`ing of the file reduced it down to 4,000.
Then I ran:
grep ^[X] bind3 |awk -F/ '{print "host -t " $4 " " $3;}'|sort|perl -e 'while(<>) {
system $_; }'
eval was giving me trouble, so I used perl/system. (I tried "for i in
`awk stuff`; do eval $i ; done" but bash was breaking on each space.)
Then I just watched until I saw the dns error popup and sure enough it
did. Manually running some of the nearby queries I discovered it
occured when doing a dns lookup of my ISP's corporate mail server.
# host mail.corp.eschelon.com
This appeared in the logs because my firewall doesn't allow sending to
that address:
> Nov 20 09:59:24 mercury named[338]: ns_resp: sendto([10.168.0.11].53):
> Operation not permitted
Tracing out the dns entries manually, I discovered:
# host -t ns corp.eschelon.com
corp.eschelon.com name server everest.corp.eschelon.com.
corp.eschelon.com name server mckinley.corp.eschelon.com.
# host -t a everest.corp.eschelon.com
everest.corp.eschelon.com has address 10.168.0.10
# host -t a mckinley.corp.eschelon.com
mckinley.corp.eschelon.com has address 10.168.0.11
Ah ha! Every time my ISP sends me an email, my postfix checks the
address given in the HELO statement (mail.corp.eschelon.com) and I get
a dns error. They do have public IP, PTR and A records for the mail
server so it doesn't create other problems, but apparently these two ns
servers got overlooked.
Cory
--
Cory Petkovsek Adapting Information
Adaptable IT Consulting Technology to your
(541) 914-8417 business
[EMAIL PROTECTED] www.AdaptableIT.com
_______________________________________________
EuG-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
