[ossec-list] Re: how to block lame server resolving requests

Sat, 02 Jun 2007 14:06:07 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DM,
        I'm not sure I understand exactly what you would like but here are
two possible answers:
        Those log entries are from other domain's misconfigured DNS
servers.  I believe they are informational only, not really a
problem.  You may want to look at
http://www.isc.org/sw/bind/arm92/Bv9ARM.ch06.html (which is one
frame from http://www.isc.org/index.pl?/sw/bind/) -- see the note
about lame-servers.  I believe you can tell bind not to log those by
adding something like this to your named.conf file:

logging {
     category "lame-servers" { "null"; };
};

        If you already have a logging clause, just add the lame-servers line.
        Alternatively, you could add an OSSEC rule like this (to your
local_rules.xml file) if OSSEC is alerting on the lame server
entries as part of the default, something bad happened rule (1002):

<rule id="100100" level="0">
   <if_sid>1002</if_sid>
   <program_name>named</program_name>
   <match>lame server</match>
   <description>See:
http://www.isc.org/sw/bind/arm92/Bv9ARM.ch06.html</description>
</rule>

        I use something similar to block OSSEC alerts about queries for my
internal only domain.
        If I completely misunderstood the question, I expect someone else
will provide the right answer.
        -David





[EMAIL PROTECTED] wrote:
> We are getting lot of queries like this through different names
> #53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.44.132#53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.37.190#53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.44.132#53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.37.190#53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.44.132#53
> Jun  2 10:24:18 localhost named[5758]: lame server resolving
> 'vipum.latboy.com' (in 'latboy.com'?): 209.172.44.132#53
> How can we block these lame requests.
>  
> Thanks
> DM
>  

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGYYyBCzuSgviBh00RAou3AJ0QipAKPzKp7H/YssDwfxz1nXlU9QCgmOK+
hnRdd9o/HaG/HjnEpYkx9ks=
=9ZPc
-----END PGP SIGNATURE-----

Reply via email to