Latley my logs are flooded with these kind of errors named[2448]: client <ip>#59969: query (cache) 'tld/A/IN' denied named[2448]: client <ip>#65519: query (cache) './ANY/IN' denied named[2448]: client <ip>#16808: query (cache) 'tld/NS/IN' denied Is it a error in my named or is is just doing what it is supposed to? I recently upgraded from etch to lenny and i started to get these. Any ideas?
Is this a master or slave DNS server? Is the client IP always the same, or do you see many different client IPs?
Hello; This may not be related but I noticed that my auth.log was full of warnings about Intruders who are always trying to hack into our server(s). So I use this command line in a form of a script (so I can run cron job on it) and then get the intruders IP addresses and later I edit /etc/hosts.deny file and put these IPs in there. Here's the grep command I use: The first one I had problems with but the 2nd line kind of works** #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > results.txt grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > results.txt sleep 2 cat results.txt |more ** I grep column (field) number 13 here but I also get a lot of junk in my results. I have not found a way to clean up the results.txt file yet? If anyone can solve this I will really appreciate it. The results.txt looks like this: (too long to post but to just give you an idea): 2 70.33.245.232 2 66.193.114.42 2 59.52.25.250 2 220.170.193.12 2 204.124.181.82 2 204.124.181.82 2 204.124.181.82 1 9759 1 9427 1 9103 1 8733 1 85.114.8.74 1 85.114.8.74 1 85.114.8.74 1 85.114.8.74 1 8435 1 8124 1 7773 1 7452 1 74.7.58.115 1 70.33.245.232 1 70.33.245.232 1 6790 1 64800 1 64461 1 6435 1 64126 1 64.34.178.37 1 63809 1 63509 1 63203 1 62882 1 62540 1 62257 1 61972 1 61681 1 61344..... ....... These are real (mostly chinese) IP addresses of ppl trying to break in so I dont care what anyone does with them lol I just do a whois on them and laugh
It comes from many different ip's i use OCCES to warn me about errors etc. and i just got home have been away for 24 hours and i had 68 warnings all coming from 208.64.xx.xxx.
Hi no i dont know these ip's here is my named.conf seems like all the hits are coming from www[dot]blacklotus[dot]net i managed to get trough to their support. Are they spoofing me? or how can i secure my bind to not be spoofed?
DNS DDoS Read the following to know what's going on: http://www.dshield.org/diary.html?storyid=5713. On the following page you'll find more links (check the DNS/BIND area): http://iulica.blogspot.com/2009/05/new-server-debian-server-setup.html. Hope it helps!
