On Tue, 2017-09-19 at 15:40 -0500, Chris wrote:
> On Tue, 2017-09-19 at 08:41 -0500, David Jones wrote:
> >
> > On 09/19/2017 08:25 AM, Chris wrote:
> > >
> > >
> > > On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:
> > > >
> > > >
> > > > On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> > > > >
> > > > >
> > > > >
> > > > > On 09/18/2017 06:03 PM, Chris wrote:
> > > > [snip]
> > > > >
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > localhost dnsmasq[2323]: started, version 2.75 cachesize
> > > > > > 150
> > > > > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-
> > > > > > getopt
> > > > > > DBus
> > > > > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth
> > > > > > DNSSEC
> > > > > > loop-
> > > > > > detect inotify
> > > > > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2
> > > > > > --
> > > > > > 192.168.122.254, lease time 1h
> > > > > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound
> > > > > > exclusively
> > > > > > to
> > > > > > interface virbr0
> > > > > > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > > > > > localhost dnsmasq[2323]: read
> > > > > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > > > > > localhost dnsmasq-dhcp[2323]: read
> > > > > > /var/lib/libvirt/dnsmasq/default.hostsfile
> > > > > >
> > > > > > I'm not really running a mail server in the true sense of
> > > > > > the
> > > > > > word
> > > > > > I
> > > > > > believe. Fetchmail queries my email accounts and pipes the
> > > > > > messages
> > > > > > through procmail. Anything that doesn't already have a
> > > > > > recipe
> > > > > > is
> > > > > > run
> > > > > > through SA. I'm just using Bind to speed up the queries
> > > > > > that
> > > > > > SA
> > > > > > makes.
> > > > > > I believe I'm stating that correctly but who knows could be
> > > > > > way
> > > > > > off.
> > > > > >
> > > > > > If I can give any other information I'll be glad to do it.
> > > > > > Again,
> > > > > > I
> > > > > > have no idea why the queries are going to 168.150.251.35.
> > > > > > There
> > > > > > hasn't
> > > > > > been another query to isipp since a bit after noon. I'll
> > > > > > see
> > > > > > what
> > > > > > happens the next time there is one.
> > > > > >
> > > > > Run 'netstat -tunlap | grep ":53 "' and see what is listening
> > > > > on
> > > > > port
> > > > > 53
> > > > > as your DNS server. You probably need to remove/uninstall
> > > > > dnsmasq.
> > > > >
> > > > > Here's my output:
> > > > >
> > > > > # netstat -tunlap | grep ":53 "
> > > > > tcp 0 0 127.0.0.1:53 0.0.0.0:*
> > > > > LISTEN 24019/pdns_recursor
> > > > > udp 0 0 127.0.0.1:53 0.0.0.0:*
> > > > > 24019/pdns_recursor
> > > > >
> > > > > Once you know you are only running named on port 53, then
> > > > > make
> > > > > sure
> > > > > your
> > > > > named.conf doesn't have any forwarders defined in the options
> > > > > section.
> > > > >
> > > > > Now check your logs and see if you are still getting a lot of
> > > > > refused
> > > > > responses. BIND should be doing full recursive lookups
> > > > > directly to
> > > > > the
> > > > > authoritative DNS servers just like you saw with the "dig
> > > > > +trace"
> > > > > command.
> > > > >
> > > > David, here's my output. I ran as sudo to see all inclusive:
> > > >
> > > > sudo netstat -tunlap | grep ":53"
> > > > [sudo] password for chris:
> > > > tcp 0 0
> > > > 192.168.122.1:53 0.0.0.0:* LISTEN 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > tcp 0 0
> > > > 127.0.1.1:53 0.0.0.0:* LISTEN 131
> > > > 6/
> > > > dnsm
> > > > as
> > > > q
> > > > tcp 0 0
> > > > 192.168.0.51:53 0.0.0.0:* LISTEN 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > tcp 0 0
> > > > 127.0.0.1:53 0.0.0.0:* LISTEN 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:56697 192.52.178.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 1 1
> > > > 192.168.0.51:33475 198.97.190.53:53 CLOSING -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:52483 192.5.6.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:57335 192.5.6.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:56609 192.52.178.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:36143 199.19.56.1:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:47629 199.7.83.42:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:58201 192.48.79.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:53145 199.19.56.1:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:55073 199.7.83.42:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 0 0
> > > > 192.168.0.51:41719 192.48.79.30:53 TIME_WAIT -
> > > >
> > > >
> > > > tcp 1 1
> > > > 192.168.0.51:40633 198.97.190.53:53 CLOSING -
> > > >
> > > >
> > > > udp 0 0
> > > > 192.168.122.1:53 0.0.0.0:* 232
> > > > 3/
> > > > dnsm
> > > > as
> > > > q
> > > > udp 0 0
> > > > 192.168.122.1:53 0.0.0.0:* 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > udp 0 0
> > > > 127.0.1.1:53 0.0.0.0:* 131
> > > > 6/
> > > > dnsm
> > > > as
> > > > q
> > > > udp 0 0
> > > > 192.168.0.51:53 0.0.0.0:* 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > udp 0 0
> > > > 127.0.0.1:53 0.0.0.0:* 124
> > > > 5/
> > > > name
> > > > d
> > > >
> > > > udp 0 0
> > > > 0.0.0.0:5353 0.0.0.0:* 153
> > > > 3/
> > > > snap
> > > > we
> > > > b
> > > > udp 0 0
> > > > 0.0.0.0:5353 0.0.0.0:* 100
> > > > 4/
> > > > avah
> > > > i-
> > > > daemon:
> > > > udp6 0 0
> > > > :::5353 :::* 153
> > > > 3/
> > > > snap
> > > > we
> > > > b
> > > > udp6 0 0
> > > > :::5353 :::* 100
> > > > 4/
> > > > avah
> > > > i-
> > > > daemon:
> > > >
> > > I neglected to insert my /etc/bind/named.conf.options file
> > >
> > > acl goodclients {
> > > 127.0.0.1;
> > > localhost;
> > > localnets;
> > > };
> > >
> > > options {
> > > directory "/var/cache/bind";
> > > geoip-directory "/usr/share/GeoIP";
> > >
> > > recursion yes;
> > > allow-query { goodclients; };
> > >
> > > tcp 0 0 127.0.0.1:53
> > > // If there is a firewall between you and nameservers you want
> > > // to talk to, you may need to fix the firewall to allow
> > > multiple
> > > // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> > >
> > > // If your ISP provided one or more IP addresses for stable
> > > // nameservers, you probably want to use them as forwarders.
> > > // Uncomment the following block, and insert the addresses
> > > replacing
> > > // the all-0's placeholder.
> > >
> > > //forwarders {
> > > //127.0.0.1;
> > > //};
> > >
> > > //=============================================================
> > > ===========
> > > // If BIND logs error messages about the root key being
> > > expired,
> > > // you will need to update your keys. See https://www.isc.org/
> > > bind-keys
> > > //=============================================================
> > > ===========
> > > //dnssec-validation auto;
> > >
> > > auth-nxdomain no; # conform to RFC1035
> > > //listen-on-v6 { any; };
> > > listen-on { any; };
> > > };
> > >
> > Change this in the named.conf.options and BIND should be fine:
> >
> > listen-on { 127.0.0.1; };
> >
> > Uninstall dnsmasq and make sure it's no longer listening on
> > 127.0.1.1:53
> > just to keep things simple.
> >
> > Your /etc/resolv.conf should be pointed to 127.0.0.1 which is
> > should
> > already be based on the dig +trace output.
> >
> > Now check your logs to see if you are still getting odd queries to
> > destinations that aren't authoritative DNS servers which are being
> > refused. Use dig +trace to check responses which should match the
> > http://multirbl.valli.org site responses for that particular RBL
> > or
> > whitelist excluding IVM which is a subscription-based RBL.
> >
> Here's the output now of the dig +trace
> tcp 0 0
> 127.0.0.1:53 0.0.0.0:* LISTEN -
>
>
> tcp 0 0
> 127.0.1.1:53 0.0.0.0:* LISTEN -
>
>
> udp 0 0
> 127.0.0.1:53 0.0.0.0:* -
>
>
> udp 0 0
> 192.168.122.1:53 0.0.0.0:* -
>
>
> udp 0 0
> 127.0.1.1:53 0.0.0.0:* -
>
>
> udp 0 0
> 0.0.0.0:5353 0.0.0.0:* -
>
>
> udp 0 0
> 0.0.0.0:5353 0.0.0.0:* -
>
>
> udp6 0 0
> :::5353 :::* -
>
>
> udp6 0 0
> :::5353 :::* -
>
> I'm getting different outputs each time I run dig +trace
> 65.43.116.208.iadb.isipp.com
>
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.1.255
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.2
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.3
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.202.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.4
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.201.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.3.100.10
> ;; Received 201 bytes from 147.75.64.146#53(c.auth-ns.sonic.net) in
> 67
> ms
>
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.2
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.3.100.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.4
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.0.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.202.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.2.255.3
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.101.201.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A 127.0.1.255
> iadb.isipp.com. 172800 IN NS ns2.
> ns
> .isipp.com.
> iadb.isipp.com. 172800 IN NS b.au
> th
> -ns.sonic.net.
> iadb.isipp.com. 172800 IN NS a.au
> th
> -ns.sonic.net.
> iadb.isipp.com. 172800 IN NS ns2.
> pr
> gmr.com.
> iadb.isipp.com. 172800 IN NS ns01
> .b
> ackupdns.com.
> iadb.isipp.com. 172800 IN NS c.au
> th
> -ns.sonic.net.
> iadb.isipp.com. 172800 IN NS ns1.
> ns
> .isipp.com.
> ;; Received 390 bytes from 67.227.190.38#53(ns1.ns.isipp.com) in 55
> ms
>
> I've disable dnsmasq in my /etc/NetworkManager/NetworkManager.conf
> via
> #dns=dnsmasq
>
> However, when restarting the network I see:
> dnsmasq[2323]: reading /etc/resolv.conf
> dnsmasq[2323]: using nameserver 127.0.0.1#53
> dnsmasq[2323]: using nameserver 127.0.0.1#53
>
> NetworkManager[24113]: <info> [1505852393.3238] nameserver
> '192.168.0.1'
> NetworkManager[24113]: <info> [1505852393.3238] nameserver
> '205.171.2.226'
>
> Unfortunately so far today since I've started trying to work this out
> there have been no queries to isipp by SA. I'll have to see what
> happens when there is one.
>
> I think David I may just be confusing myself more, at least the
> network
> is still up.
>
A reply to self, named[8076]: REFUSED unexpected RCODE resolving 'ns2.ns.isipp.com/A/IN': 168.150.251.35#53 named[8076]: REFUSED unexpected RCODE resolving 'ns1.ns.isipp.com/A/IN': 168.150.251.35#53 Still seeing this -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 16:44:32 up 1 day, 23 min, 1 user, load average: 0.73, 0.60, 0.66 Description: Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic
signature.asc
Description: This is a digitally signed message part
