- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- named logs "Response from Unexpected Source" in /v...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:02 AM
тАО11-09-2000 07:02 AM
Note: XX.XX.XX.XX is the IP address of remote machine.
Is this a security issue? Since i am seeing that somebody is trying to telnet to port 53(Which designated port for DNS). If it is a security issue, what is the solution?
Thanks in advance
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:05 AM
тАО11-09-2000 07:05 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
this turns on debugging
look then at /var/tmp/named.run for more information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:09 AM
тАО11-09-2000 07:09 AM
Solution- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:13 AM
тАО11-09-2000 07:13 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
If a DNS-server has got two IP-addresses and you (your DNS-server) send a request to one IP-address the Bad implemented server could be sending out the reply on its other IP-address causing your server to generate the error as the answer came from another IP-address that it was originally sent to. A good implemented DNS-server takes care of this and sends out reply the same way the request came in.
I would not worry to much about this or you could try to track it down further using Rainer's method.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:29 AM
тАО11-09-2000 07:29 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
http://www.securityportal.com/cover/coverstory20001002.html
The IP XX.XX.XX.XX is trying to force-feed your dns server with false dns information. That way, they can redirect the site that your users see when they attempt to connect to the spoofed site.
According to bugtraq, "As of this time you cannot protect yourself againstan attacker brute forcing the DNS ID space" http://www.nationwide.net/~aleph1/FAQ
It appears that your dns server has the latest patches and so has been able to fend off the attack, however, I would advise that you just keep an eye on what is happening to your named process:
1. run named in debug mode with :
# kill -USR1 `cat /var/run/named.pid`
(once more if you want more debug level)
2. Monitor the log file /var/tmp/named.run for more tell-tale signs!
3. If you need to turn off debugging replace -USR2 for USR1 in the kill command.
Good luck
PS. You could configure your firewall (I assume you have a firewall set up) to prevent port 53 TCP connections from outside your network (except from the root name servers or servers you trust!)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:57 AM
тАО11-09-2000 07:57 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
Thanks for your quick response. I have added the IP address in inetd.sec that were found in daemon.log. I refreshed inetd daemon. I have also started debuging the for named. I am finding the IP address in named.run that were found in daemon.log. Now what should i look for in named.run that pertains to security breach?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 08:14 AM
тАО11-09-2000 08:14 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
Unless you are running named from /etc/inetd.conf (which is unlikely) then inetd.sec will not help you.
inetd.sec only protects the services that are managed by the inetd super-service. SO you can use /etc/inetd.sec to block things like telnet/ftp/remsh etc. but not services that are started independent of inetd (such as named or httpd)
A good source of information on dns security is http://www.securityfocus.com