Named logs denied messages related to external view

bind

I have around 200k same entries in my /var/log/messages received from named, like:

Oct 29 15:48:34 server named[878]: client 75.100.*.*#56448: view external: query (cache) 'example.com.co/A/IN' denied

Where example.com.co is an external domain not related to my site and being blocked for some reasons. External view is configured as below:

view    "external" {
    recursion no;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

zone "example2.com" {
        type master;
        file "/var/named/example2.db";
};
};

Where example2.com is my own domain. Could you please explain what actually does the log entry mean and what should I do to prevent it from being logged?

Thanks.

Configuration:
CentOS 6, BIND 9.7

Best Answer

It seems you have users querying your server for names that aren't yours. If the 200k log events are all from the same client IP address, I'd block that IP in my firewall for 24-48 hours to see if they stop and report them to their ISP. If they're from many different addresses (especially from different ISPs and different parts of the world), I'd spend some time to figure out why they're querying your server.

dig example.com.co. NS

Does the above command mistakenly list your name server as an authoritative one for their domain? If so, contact them using their whois contact information.

Related Solutions

DDNS Not Creating Journal (Dhcpd and Named)

I was having the same issue

Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving 'whois.verisign-grs.com/A/IN': 2001:7fd::1#53
Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving 'whois.verisign-grs.com/AAAA/IN': 2001:503:ba3e::2:30#53
Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving 'whois.verisign-grs.com/A/IN': 2001:dc3::35#53
Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving 'whois.verisign-grs.com/AAAA/IN': 2001:7fd::1#53
Nov 24 15:05:04 zserver named[1020]: error (network unreachable) resolving 'whois.verisign-grs.com/AAAA/IN': 2001:dc3::35#53

The issue for me was that my eth0 was the default gateway out (BEFORE)

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.123.0    *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
10.0.0.0        *               255.0.0.0       U     0      0        0 eth0
default         zserver.Stanton 0.0.0.0         UG    0      0        0 eth0

I manually added a route with external gateway (AFTER)

route add default gw ip address 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.123.0    *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
10.0.0.0        *               255.0.0.0       U     0      0        0 eth0
default         172.16.123.1    0.0.0.0         UG    0      0        0 eth1
default         zserver.Stanton 0.0.0.0         UG    0      0        0 eth0

did a nslookup from a Windows client

Nov 24 15:27:58 zserver named[1020]: client 10.10.100.1#57727: RFC 1918 response from Internet for 1.123.16.172.in-addr.arpa

RHEL BIND Server Intermittent error

There's a RH KB article which says this happens when the cache expires, but still contains IPv6 information (they're pretty vague in the root cause).

They suggest disabling IPv6 support, if that's an option.

add OPTIONS="-4" to /etc/sysconfig/named

Best Answer

Related Solutions

DDNS Not Creating Journal (Dhcpd and Named)

RHEL BIND Server Intermittent error

Related Topic