Named tld/A/IN denied

Discussion in 'Installation/Configuration' started by bernholdt, Aug 27, 2009.

  1. bernholdt

    bernholdt Member

    Latley my logs are flooded with these kind of errors

    named[2448]: client <ip>#59969: query (cache) 'tld/A/IN' denied
    named[2448]: client <ip>#65519: query (cache) './ANY/IN' denied
    named[2448]: client <ip>#16808: query (cache) 'tld/NS/IN' denied

    Is it a error in my named or is is just doing what it is supposed to? I recently upgraded from etch to lenny and i started to get these.
    Any ideas?
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Is this a master or slave DNS server?
    Is the client IP always the same, or do you see many different client IPs?
     
  3. matey

    matey New Member

    Hello;

    This may not be related but I noticed that my auth.log was full of warnings about Intruders who are always trying to hack into our server(s).
    So I use this command line in a form of a script (so I can run cron job on it) and then get the intruders IP addresses and later I edit /etc/hosts.deny file and put these IPs in there.

    Here's the grep command I use:
    The first one I had problems with but the 2nd line kind of works**

    #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > results.txt

    grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > results.txt
    sleep 2
    cat results.txt |more

    ** I grep column (field) number 13 here but I also get a lot of junk in my results.
    I have not found a way to clean up the results.txt file yet?
    If anyone can solve this I will really appreciate it.

    The results.txt looks like this: (too long to post but to just give you an idea):
    2 70.33.245.232
    2 66.193.114.42
    2 59.52.25.250
    2 220.170.193.12
    2 204.124.181.82
    2 204.124.181.82
    2 204.124.181.82
    1 9759
    1 9427
    1 9103
    1 8733
    1 85.114.8.74
    1 85.114.8.74
    1 85.114.8.74
    1 85.114.8.74
    1 8435
    1 8124
    1 7773
    1 7452
    1 74.7.58.115
    1 70.33.245.232
    1 70.33.245.232
    1 6790
    1 64800
    1 64461
    1 6435
    1 64126
    1 64.34.178.37
    1 63809
    1 63509
    1 63203
    1 62882
    1 62540
    1 62257
    1 61972
    1 61681
    1 61344.....
    .......
    These are real (mostly chinese) IP addresses of ppl trying to break in so I dont care what anyone does with them lol
    I just do a whois on them and laugh
    :D
     
    Last edited: Aug 28, 2009
  4. bernholdt

    bernholdt Member

    It comes from many different ip's
    i use OCCES to warn me about errors etc. and i just got home have been away for 24 hours and i had 68 warnings all coming from 208.64.xx.xxx.
     
  5. falko

    falko Super Moderator ISPConfig Developer

    So you don't know these IPs?
    What's in your named.conf?
     
  6. bernholdt

    bernholdt Member

    Hi no i dont know these ip's
    here is my named.conf
    seems like all the hits are coming from www[dot]blacklotus[dot]net
    i managed to get trough to their support.
    Are they spoofing me? or how can i secure my bind to not be spoofed?
     
    Last edited: Aug 30, 2009
  7. digitalage

    digitalage New Member

Share This Page