- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- named logs "Response from Unexpected Source" in /v...
Operating System - HP-UX
1752807
Members
5889
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:02 AM
тАО11-09-2000 07:02 AM
On our DNS server, i am seeing the following message in /var/adm/syslog/daemon.log "Nov 8 22:45:59 test named[690]: Response from unexpected source ([XX.XX.XX.XX].53).
Note: XX.XX.XX.XX is the IP address of remote machine.
Is this a security issue? Since i am seeing that somebody is trying to telnet to port 53(Which designated port for DNS). If it is a security issue, what is the solution?
Thanks in advance
Note: XX.XX.XX.XX is the IP address of remote machine.
Is this a security issue? Since i am seeing that somebody is trying to telnet to port 53(Which designated port for DNS). If it is a security issue, what is the solution?
Thanks in advance
Be Teachable
Solved! Go to Solution.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:05 AM
тАО11-09-2000 07:05 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
find the pid from named, kill -SIGUSR1
this turns on debugging
look then at /var/tmp/named.run for more information
this turns on debugging
look then at /var/tmp/named.run for more information
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:09 AM
тАО11-09-2000 07:09 AM
Solution
Block telnet services for that ip address through /var/adm/inetd.sec file and warn the user, if they are not supposed to access the server.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:13 AM
тАО11-09-2000 07:13 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
It *could* indicate a security problem but it is more likely that it is caused by a bad implementation of a DNS-server.
If a DNS-server has got two IP-addresses and you (your DNS-server) send a request to one IP-address the Bad implemented server could be sending out the reply on its other IP-address causing your server to generate the error as the answer came from another IP-address that it was originally sent to. A good implemented DNS-server takes care of this and sends out reply the same way the request came in.
I would not worry to much about this or you could try to track it down further using Rainer's method.
If a DNS-server has got two IP-addresses and you (your DNS-server) send a request to one IP-address the Bad implemented server could be sending out the reply on its other IP-address causing your server to generate the error as the answer came from another IP-address that it was originally sent to. A good implemented DNS-server takes care of this and sends out reply the same way the request came in.
I would not worry to much about this or you could try to track it down further using Rainer's method.
In a world without fences - who needs Gates ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:29 AM
тАО11-09-2000 07:29 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
It would appear that an attempt at "poisoning" your name server is in progress. This is when an attacker tries to change the DNS data or spoof your dns server into believing false data! see :
http://www.securityportal.com/cover/coverstory20001002.html
The IP XX.XX.XX.XX is trying to force-feed your dns server with false dns information. That way, they can redirect the site that your users see when they attempt to connect to the spoofed site.
According to bugtraq, "As of this time you cannot protect yourself againstan attacker brute forcing the DNS ID space" http://www.nationwide.net/~aleph1/FAQ
It appears that your dns server has the latest patches and so has been able to fend off the attack, however, I would advise that you just keep an eye on what is happening to your named process:
1. run named in debug mode with :
# kill -USR1 `cat /var/run/named.pid`
(once more if you want more debug level)
2. Monitor the log file /var/tmp/named.run for more tell-tale signs!
3. If you need to turn off debugging replace -USR2 for USR1 in the kill command.
Good luck
PS. You could configure your firewall (I assume you have a firewall set up) to prevent port 53 TCP connections from outside your network (except from the root name servers or servers you trust!)
http://www.securityportal.com/cover/coverstory20001002.html
The IP XX.XX.XX.XX is trying to force-feed your dns server with false dns information. That way, they can redirect the site that your users see when they attempt to connect to the spoofed site.
According to bugtraq, "As of this time you cannot protect yourself againstan attacker brute forcing the DNS ID space" http://www.nationwide.net/~aleph1/FAQ
It appears that your dns server has the latest patches and so has been able to fend off the attack, however, I would advise that you just keep an eye on what is happening to your named process:
1. run named in debug mode with :
# kill -USR1 `cat /var/run/named.pid`
(once more if you want more debug level)
2. Monitor the log file /var/tmp/named.run for more tell-tale signs!
3. If you need to turn off debugging replace -USR2 for USR1 in the kill command.
Good luck
PS. You could configure your firewall (I assume you have a firewall set up) to prevent port 53 TCP connections from outside your network (except from the root name servers or servers you trust!)
nothing wrong with me that a few lines of code cannot fix!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 07:57 AM
тАО11-09-2000 07:57 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
Guys,
Thanks for your quick response. I have added the IP address in inetd.sec that were found in daemon.log. I refreshed inetd daemon. I have also started debuging the for named. I am finding the IP address in named.run that were found in daemon.log. Now what should i look for in named.run that pertains to security breach?
Thanks for your quick response. I have added the IP address in inetd.sec that were found in daemon.log. I refreshed inetd daemon. I have also started debuging the for named. I am finding the IP address in named.run that were found in daemon.log. Now what should i look for in named.run that pertains to security breach?
Be Teachable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-09-2000 08:14 AM
тАО11-09-2000 08:14 AM
Re: named logs "Response from Unexpected Source" in /var/adm/syslog/daemon.log
Padmanabha:
Unless you are running named from /etc/inetd.conf (which is unlikely) then inetd.sec will not help you.
inetd.sec only protects the services that are managed by the inetd super-service. SO you can use /etc/inetd.sec to block things like telnet/ftp/remsh etc. but not services that are started independent of inetd (such as named or httpd)
A good source of information on dns security is http://www.securityfocus.com
Unless you are running named from /etc/inetd.conf (which is unlikely) then inetd.sec will not help you.
inetd.sec only protects the services that are managed by the inetd super-service. SO you can use /etc/inetd.sec to block things like telnet/ftp/remsh etc. but not services that are started independent of inetd (such as named or httpd)
A good source of information on dns security is http://www.securityfocus.com
nothing wrong with me that a few lines of code cannot fix!
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP