On Nov 19, 2008, at 6:19 PM, Kevin Darcy wrote:
Scott Haneda wrote:
I have a good deal if lame server errors in my logs, which I am not
entirely understanding.
19-Nov-2008 15:36:34.657 lame-servers: info: lame server resolving
'170.73.234.209.in-addr.arpa' (in '73.234.209.in-addr.arpa'?):
209.234.64.192#53
73.234.209.in-addr.arpa has been delegated to ns1.networkiowa.com
(address 209.234.64.192), but that nameserver is not responding
authoritatively for the zone. This is referred to technically as
being "lame".
Fortunately one of the other delegated nameservers
(storm.weather.net) *is* responding authoritatively. So the zone is
not completely broken. But named is logging this as a warning. You
can configure logging to ignore these lame-server conditions.
Generally I want to know, as there are cases where I mess up, and
something bad happens. I watch the logs, and know to fix it. So I am
not so much minding the data in my logs, but more just wanting to
understand what is causing these lookups.
19-Nov-2008 15:36:34.955 lame-servers: info: lame server resolving
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
209.183.48.20#53
19-Nov-2008 15:36:34.975 lame-servers: info: lame server resolving
'221.250.53.206.in-addr.arpa' (in '250.53.206.in-addr.arpa'?):
209.43.20.115#53
19-Nov-2008 15:36:34.989 lame-servers: info: lame server resolving
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
209.183.52.20#53
19-Nov-2008 15:36:35.050 lame-servers: info: lame server resolving
'127.52.195.166.in-addr.arpa' (in '52.195.166.in-addr.arpa'?):
209.183.48.21#53
I assume, without looking, that the causes for these are similar to
the example above.
Yes, I have thousands of these entries. I usually use another NS to
point my email server to, that one has become a little flakey, so I
moved to using my own local NS on the same machine as the email server.
My server is not allowing recursions, other than to localnets.
about the only thing hitting it is an email server. So I am not
clear on why these lookups are happening, or why they are coming
from all these other IP's
Most email software these days, as a default, performs reverse-
lookups of connecting client addresses as a form of spam detection
(because it's common knowledge that spammers are genetically
incapable of populating reverse records). It is thus perfectly
normal to see a lot of reverse-lookup traffic from email servers.
Correct, but that is what is strange. I am very familiar with my
email sever, and I am not doing reverse PTR record checking. I am of
course using some DNSBL's and DNSWL's as well, but no reverse checking.
Further, I have allowed only localnets to check recursively on this
NS. I know my IP range, and what machines would be hitting it.
BTW, if you want to determine where all of these reverse lookups
were coming from, you could just turn on query logging. Why guess
when you can tell for sure?
This is the core of my question, maybe someone can point me to docs,
or help me understand a log line. In the example above, I see field 1
is the date, field 2 is the time, field 3 looks like the error
description, field 4 is the level, and then there are the rest of the
bits. However, I thought the last part, was an IP and a port, telling
me, that IP, asked on port 53, for a lookup of my server. So in this
case, why do I need to look at the query log, when I believe, this log
tells me who is doing the lookup.
If this really was the email server doing this lookup, all the lines
should share the same IP in common. So let's assume that for a
second, this is a reverse record lookup, that means my email server is
asking of my NS for a record/response. Should I not see my IP in
those log lines?
Here is another example, I think not a reverse lookup for sure:
20-Nov-2008 00:36:38.470 lame-servers: info: lame server resolving
'szi.szi.sv.gov.yu' (in 'szi.sv.gov.yu'?): 195.178.32.2#53
Doesn't that mean that 195.178.32.2 requested a lookup from my NS for
szi.szi.sv.gov.yu? I have an email server, and a bunch of web
servers, the web servers do not have DNS lookups on, so those are not
asking anything of my DNS server. The only thing that should be, is
the email server, but that is not adding up, since I do not have
reverse lookup checking enabled.
I can think of one thing, which is my web stats server, which I would
think, does resolve IP's to host names, in order to show a report of
what domains are going to websites. That being said, I would think,
that I should see the source of the query IP in the lame server log
line.
Is there a way to log the client IP on that line?
Thanks
--
Scott
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
