Named tld/A/IN denied

Discussion in 'Installation/Configuration' started by bernholdt, Aug 27, 2009.

  1. bernholdt

    bernholdt Member

    Latley my logs are flooded with these kind of errors

    named[2448]: client <ip>#59969: query (cache) 'tld/A/IN' denied
    named[2448]: client <ip>#65519: query (cache) './ANY/IN' denied
    named[2448]: client <ip>#16808: query (cache) 'tld/NS/IN' denied

    Is it a error in my named or is is just doing what it is supposed to? I recently upgraded from etch to lenny and i started to get these.
    Any ideas?
  2. falko

    falko Super Moderator ISPConfig Developer

    Is this a master or slave DNS server?
    Is the client IP always the same, or do you see many different client IPs?
  3. matey

    matey New Member


    This may not be related but I noticed that my auth.log was full of warnings about Intruders who are always trying to hack into our server(s).
    So I use this command line in a form of a script (so I can run cron job on it) and then get the intruders IP addresses and later I edit /etc/hosts.deny file and put these IPs in there.

    Here's the grep command I use:
    The first one I had problems with but the 2nd line kind of works**

    #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > results.txt

    grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > results.txt
    sleep 2
    cat results.txt |more

    ** I grep column (field) number 13 here but I also get a lot of junk in my results.
    I have not found a way to clean up the results.txt file yet?
    If anyone can solve this I will really appreciate it.

    The results.txt looks like this: (too long to post but to just give you an idea):
    1 9759
    1 9427
    1 9103
    1 8733
    1 8435
    1 8124
    1 7773
    1 7452
    1 6790
    1 64800
    1 64461
    1 6435
    1 64126
    1 63809
    1 63509
    1 63203
    1 62882
    1 62540
    1 62257
    1 61972
    1 61681
    1 61344.....
    These are real (mostly chinese) IP addresses of ppl trying to break in so I dont care what anyone does with them lol
    I just do a whois on them and laugh
    Last edited: Aug 28, 2009
  4. bernholdt

    bernholdt Member

    It comes from many different ip's
    i use OCCES to warn me about errors etc. and i just got home have been away for 24 hours and i had 68 warnings all coming from
  5. falko

    falko Super Moderator ISPConfig Developer

    So you don't know these IPs?
    What's in your named.conf?
  6. bernholdt

    bernholdt Member

    Hi no i dont know these ip's
    here is my named.conf
    seems like all the hits are coming from www[dot]blacklotus[dot]net
    i managed to get trough to their support.
    Are they spoofing me? or how can i secure my bind to not be spoofed?
    Last edited: Aug 30, 2009
  7. digitalage

    digitalage New Member

Share This Page