On Tue, 2017-09-19 at 08:41 -0500, David Jones wrote:
> On 09/19/2017 08:25 AM, Chris wrote:
> >
> > On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:
> > >
> > > On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> > > >
> > > >
> > > > On 09/18/2017 06:03 PM, Chris wrote:
> > > [snip]
> > > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > > localhost dnsmasq[2323]: started, version 2.75 cachesize 150
> > > > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-
> > > > > getopt
> > > > > DBus
> > > > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
> > > > > loop-
> > > > > detect inotify
> > > > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 --
> > > > > 192.168.122.254, lease time 1h
> > > > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively
> > > > > to
> > > > > interface virbr0
> > > > > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > > > > localhost dnsmasq[2323]: read
> > > > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > > > > localhost dnsmasq-dhcp[2323]: read
> > > > > /var/lib/libvirt/dnsmasq/default.hostsfile
> > > > >
> > > > > I'm not really running a mail server in the true sense of the
> > > > > word
> > > > > I
> > > > > believe. Fetchmail queries my email accounts and pipes the
> > > > > messages
> > > > > through procmail. Anything that doesn't already have a recipe
> > > > > is
> > > > > run
> > > > > through SA. I'm just using Bind to speed up the queries that
> > > > > SA
> > > > > makes.
> > > > > I believe I'm stating that correctly but who knows could be
> > > > > way
> > > > > off.
> > > > >
> > > > > If I can give any other information I'll be glad to do it.
> > > > > Again,
> > > > > I
> > > > > have no idea why the queries are going to 168.150.251.35.
> > > > > There
> > > > > hasn't
> > > > > been another query to isipp since a bit after noon. I'll see
> > > > > what
> > > > > happens the next time there is one.
> > > > >
> > > > Run 'netstat -tunlap | grep ":53 "' and see what is listening
> > > > on
> > > > port
> > > > 53
> > > > as your DNS server. You probably need to remove/uninstall
> > > > dnsmasq.
> > > >
> > > > Here's my output:
> > > >
> > > > # netstat -tunlap | grep ":53 "
> > > > tcp 0 0 127.0.0.1:53 0.0.0.0:*
> > > > LISTEN 24019/pdns_recursor
> > > > udp 0 0 127.0.0.1:53 0.0.0.0:*
> > > > 24019/pdns_recursor
> > > >
> > > > Once you know you are only running named on port 53, then make
> > > > sure
> > > > your
> > > > named.conf doesn't have any forwarders defined in the options
> > > > section.
> > > >
> > > > Now check your logs and see if you are still getting a lot of
> > > > refused
> > > > responses. BIND should be doing full recursive lookups
> > > > directly to
> > > > the
> > > > authoritative DNS servers just like you saw with the "dig
> > > > +trace"
> > > > command.
> > > >
> > > David, here's my output. I ran as sudo to see all inclusive:
> > >
> > > sudo netstat -tunlap | grep ":53"
> > > [sudo] password for chris:
> > > tcp 0 0
> > > 192.168.122.1:53 0.0.0.0:* LISTEN 1245/
> > > name
> > > d
> > >
> > > tcp 0 0
> > > 127.0.1.1:53 0.0.0.0:* LISTEN 1316/
> > > dnsm
> > > as
> > > q
> > > tcp 0 0
> > > 192.168.0.51:53 0.0.0.0:* LISTEN 1245/
> > > name
> > > d
> > >
> > > tcp 0 0
> > > 127.0.0.1:53 0.0.0.0:* LISTEN 1245/
> > > name
> > > d
> > >
> > > tcp 0 0
> > > 192.168.0.51:56697 192.52.178.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 1 1
> > > 192.168.0.51:33475 198.97.190.53:53 CLOSING -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:52483 192.5.6.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:57335 192.5.6.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:56609 192.52.178.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:36143 199.19.56.1:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:47629 199.7.83.42:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:58201 192.48.79.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:53145 199.19.56.1:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:55073 199.7.83.42:53 TIME_WAIT -
> > >
> > >
> > > tcp 0 0
> > > 192.168.0.51:41719 192.48.79.30:53 TIME_WAIT -
> > >
> > >
> > > tcp 1 1
> > > 192.168.0.51:40633 198.97.190.53:53 CLOSING -
> > >
> > >
> > > udp 0 0
> > > 192.168.122.1:53 0.0.0.0:* 2323/
> > > dnsm
> > > as
> > > q
> > > udp 0 0
> > > 192.168.122.1:53 0.0.0.0:* 1245/
> > > name
> > > d
> > >
> > > udp 0 0
> > > 127.0.1.1:53 0.0.0.0:* 1316/
> > > dnsm
> > > as
> > > q
> > > udp 0 0
> > > 192.168.0.51:53 0.0.0.0:* 1245/
> > > name
> > > d
> > >
> > > udp 0 0
> > > 127.0.0.1:53 0.0.0.0:* 1245/
> > > name
> > > d
> > >
> > > udp 0 0
> > > 0.0.0.0:5353 0.0.0.0:* 1533/
> > > snap
> > > we
> > > b
> > > udp 0 0
> > > 0.0.0.0:5353 0.0.0.0:* 1004/
> > > avah
> > > i-
> > > daemon:
> > > udp6 0 0
> > > :::5353 :::* 1533/
> > > snap
> > > we
> > > b
> > > udp6 0 0
> > > :::5353 :::* 1004/
> > > avah
> > > i-
> > > daemon:
> > >
> > I neglected to insert my /etc/bind/named.conf.options file
> >
> > acl goodclients {
> > 127.0.0.1;
> > localhost;
> > localnets;
> > };
> >
> > options {
> > directory "/var/cache/bind";
> > geoip-directory "/usr/share/GeoIP";
> >
> > recursion yes;
> > allow-query { goodclients; };
> >
> > tcp 0 0 127.0.0.1:53
> > // If there is a firewall between you and nameservers you want
> > // to talk to, you may need to fix the firewall to allow
> > multiple
> > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> >
> > // If your ISP provided one or more IP addresses for stable
> > // nameservers, you probably want to use them as forwarders.
> > // Uncomment the following block, and insert the addresses
> > replacing
> > // the all-0's placeholder.
> >
> > //forwarders {
> > //127.0.0.1;
> > //};
> >
> > //=============================================================
> > ===========
> > // If BIND logs error messages about the root key being
> > expired,
> > // you will need to update your keys. See https://www.isc.org/
> > bind-keys
> > //=============================================================
> > ===========
> > //dnssec-validation auto;
> >
> > auth-nxdomain no; # conform to RFC1035
> > //listen-on-v6 { any; };
> > listen-on { any; };
> > };
> >
> Change this in the named.conf.options and BIND should be fine:
>
> listen-on { 127.0.0.1; };
>
> Uninstall dnsmasq and make sure it's no longer listening on
> 127.0.1.1:53
> just to keep things simple.
>
> Your /etc/resolv.conf should be pointed to 127.0.0.1 which is should
> already be based on the dig +trace output.
>
> Now check your logs to see if you are still getting odd queries to
> destinations that aren't authoritative DNS servers which are being
> refused. Use dig +trace to check responses which should match the
> http://multirbl.valli.org site responses for that particular RBL or
> whitelist excluding IVM which is a subscription-based RBL.
> Here's the output now of the dig +trace tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN - udp 0 0 127.0.0.1:53 0.0.0.0:* - udp 0 0 192.168.122.1:53 0.0.0.0:* - udp 0 0 127.0.1.1:53 0.0.0.0:* - udp 0 0 0.0.0.0:5353 0.0.0.0:* - udp 0 0 0.0.0.0:5353 0.0.0.0:* - udp6 0 0 :::5353 :::* - udp6 0 0 :::5353 :::* - I'm getting different outputs each time I run dig +trace 65.43.116.208.iadb.isipp.com 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.1.255 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.2 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.3 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.202.10 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.1 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.1 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.4 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.201.10 65.43.116.208.iadb.isipp.com. 3600 IN A 127.3.100.10 ;; Received 201 bytes from 147.75.64.146#53(c.auth-ns.sonic.net) in 67 ms 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.2 65.43.116.208.iadb.isipp.com. 3600 IN A 127.3.100.10 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.4 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.1 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.202.10 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.1 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.3 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.201.10 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.1.255 iadb.isipp.com. 172800 IN NS ns2.ns .isipp.com. iadb.isipp.com. 172800 IN NS b.auth -ns.sonic.net. iadb.isipp.com. 172800 IN NS a.auth -ns.sonic.net. iadb.isipp.com. 172800 IN NS ns2.pr gmr.com. iadb.isipp.com. 172800 IN NS ns01.b ackupdns.com. iadb.isipp.com. 172800 IN NS c.auth -ns.sonic.net. iadb.isipp.com. 172800 IN NS ns1.ns .isipp.com. ;; Received 390 bytes from 67.227.190.38#53(ns1.ns.isipp.com) in 55 ms I've disable dnsmasq in my /etc/NetworkManager/NetworkManager.conf via #dns=dnsmasq However, when restarting the network I see: dnsmasq[2323]: reading /etc/resolv.conf dnsmasq[2323]: using nameserver 127.0.0.1#53 dnsmasq[2323]: using nameserver 127.0.0.1#53 NetworkManager[24113]: <info> [1505852393.3238] nameserver '192.168.0.1' NetworkManager[24113]: <info> [1505852393.3238] nameserver '205.171.2.226' Unfortunately so far today since I've started trying to work this out there have been no queries to isipp by SA. I'll have to see what happens when there is one. I think David I may just be confusing myself more, at least the network is still up. - -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 11:32:46 up 19:12, 1 user, load average: 0.43, 0.54, 0.43 Description: Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic
signature.asc
Description: This is a digitally signed message part
