I need assistance in determining cause for log entries/BIND responses that don't make sense. I'm running BIND 9.8.7 on FreeBSD 8.4. Here is the pertinent part of named.conf: (no recursion)
Appears, the below log entry, repeated many, many times, various IPs, many repeated, ALL are null routed.
I have thousands of null routes (network rejects) blocking most of Eastern Europe, Russia and Asia as spam and intrusion protection.
Question is: how do I determine the source of the query to named that elicits a response by named to a null address? We know the query didn't come from the address in question, recursion is off, tested properly, and the
I suspect a client's system is compromised and the query is originating from withing the local network(s) which are in the ACL trusted, but why and how the response to a foreign IP known for abuse?
Code:
acl "trusted" {
xxx.xxx.xxx.xxx/xx;
(various other networks considered local)
localhost;
localnets;
};
options {
directory "/etc/namedb";
allow-query { any; };
allow-recursion { trusted; };
Appears, the below log entry, repeated many, many times, various IPs, many repeated, ALL are null routed.
Code:
/var/log/messages:Nov 23 10:33:06 auth named[7025]: client 195.138.80.56#44324: error sending response: network unreachable (repeated many times)
Code:
Host# netstat -n -r | grep "195.138"
195.138.64.0/19 127.0.0.1 URS 0 439 lo0
Question is: how do I determine the source of the query to named that elicits a response by named to a null address? We know the query didn't come from the address in question, recursion is off, tested properly, and the
netstat
result shows the ifconfig
is also proper.
Code:
host# ping 195.138.80.56
PING 195.138.80.56 (195.138.80.56): 56 data bytes
ping: sendto: Network is unreachable
I suspect a client's system is compromised and the query is originating from withing the local network(s) which are in the ACL trusted, but why and how the response to a foreign IP known for abuse?