Re: sysquery: nslookup reports danger ()

Richard Hollenbeck · ‎05-22-2006

I am getting continuous alarms in syslog.log. The OS is HP-UX hqpsas01 B.11.00 U 9000/800 680309343 and the hardware is 9000/800/N4000-55. The alarms are:
May 22 09:58:58 SystemName named[2572]: sysquery: nslookup reports danger ()
May 22 09:59:09 SystemName above message repeats 11 times
May 22 09:59:09 SystemName named[2572]: ns_forw: query(55.24.34.10.in-addr.arpa) contains our address (SystemName:192.168.2.11) learnt (A=:NS=)
May 22 09:59:09 SystemName named[2572]: ns_forw: query(55.24.34.10.in-addr.arpa) No possible A RRs
May 22 09:59:09 SystemName named[2572]: sysquery: nslookup reports danger ()
May 22 10:00:05 SystemName named[2572]: sysquery: nslookup reports danger ()
May 22 10:00:11 SystemName above message repeats 16 times
May 22 10:00:14 SystemName named[2572]: sysquery: nslookup reports danger ()
May 22 10:00:24 SystemName : su : + tty?? root-sag
May 22 10:00:29 SystemName named[2572]: sysquery: query() contains our address (SystemName:192.168.2.11) learnt (A=:NS=)
May 22 10:00:29 SystemName named[2572]: sysquery: query() No possible A RRs
M
Can anyone tell me what this is and how to stop it?

Steven E. Protter · ‎05-22-2006

Shalom,

Its like a sci-fi movie?

swlist -l product | grep -i bind

Lets see what version of BIND you have installed.

Then check the integrity of your DNS database. if its on the local machine check /var/named or /var/named/chroot/var/named

It may actually be a problem in an external DNS server which may simply require you to notify your DNS/Networking folks.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Florian Heigl (new acc) · ‎05-22-2006

Have a look at:

http://archives.neohapsis.com/archives/incidents/2000-01/0284.html

the mentioned URL has become unavailable by now, but in essence it seems to state "dns zone trouble".

yesterday I stood at the edge. Today I'm one step ahead.

Richard Hollenbeck · ‎05-22-2006

SEP - the results from swlist are
hostname:/home/root # swlist -l product | grep -i bind
PHNE_14618 1.0 Bind 4.9.7 components
PHNE_20619 1.0 Bind 4.9.7 components
PHNE_23274 1.0 Bind 4.9.7 components
PHNE_28449 1.0 Bind 4.9.7 components
hostname:/home/root #

Sameer_Nirmal · ‎05-22-2006

Hi Richard,

The messages in the syslog indicates that the DNS server is quering itself (maybe after a failed query to a required resource)

Check the /etc/named.boot file and look for DNS server entry on "forwarders" line. The entry for DNS server needs to be removed and "named" should be stopped & started again.

# /sbin/init.d/named stop
# /sbin/init.d/named start

Richard Hollenbeck · ‎05-22-2006

my /etc/named.boot file looks like:

hqpsas01:/etc/DNS # more /etc/named.boot
;
; type domain source file
;

directory /etc/DNS ; running directory for named

primary 0.0.127.IN-ADDR.ARPA csi.local
primary csi.edu csi.edu
primary 168.192.IN-ADDR.ARPA reverse.192.168
cache . csi.hints

The contents of the /etc/DNS directory are:
-rw-r----- 1 root sys 22587 Feb 14 10:32 csi.edu
-rw-r----- 1 root sys 22611 Sep 23 2005 csi.edu-save
-rw-r--r-- 1 root sys 130 Jun 6 2003 csi.hints
-rw-r--r-- 1 root sys 259 May 13 2003 csi.local
-rw-r----- 1 root sys 14154 Jun 6 2003 csi1-csi.edue
-rw-rw-rw- 1 root sys 132 Nov 22 1996 csi1-csi.hints
-rwxrwxrwx 1 root sys 259 Nov 2 1999 csi1-csi.local
-rw-rw-rw- 1 root sys 223 Feb 10 1999 named.boot
drwxrwxrwx 2 root sys 1024 Feb 10 1999 restore
-rw-r----- 1 root sys 25297 Sep 23 2005 reverse.192.168
-rw-r----- 1 root sys 25223 Sep 23 2005 reverse.192.168-save

still lost ~~~~~~?

Sameer_Nirmal · ‎05-22-2006

Check the file csi.hints which is cache in your case.

There might be record entry "." having NS and A records for the DNS server.

If it is , remove that entry and restart the named daemon.

Richard Hollenbeck · ‎05-22-2006

csi.hints did have a "." entry having NS and A records for the DNS server. I commented it out and stopped/started named. I am still receiving the: sysquery: nslookup reports danger ()alarms every few seconds.

Richard Hollenbeck · ‎05-22-2006

more examples that may shed light?

May 22 14:51:21 hostname named[2572]: ns_forw: query(49.58.44.10.in-addr.arpa) No possible A RRs
May 22 14:51:21 hostname named[2572]: sysquery: nslookup reports danger ()
May 22 14:51:25 hostname named[2572]: sysquery: nslookup reports danger ()
May 22 14:51:25 hostname above message repeats 2 times
May 22 14:51:25 hostname named[2572]: sysquery: nslookup reports danger ()
May 22 14:51:34 hostname named[2572]: sysquery: nslookup reports danger ()
May 22 14:52:28 hostname named[2572]: sysquery: nslookup reports danger (hostname)
May 22 14:52:42 hostname named[2572]: sysquery: query() contains our address (hostname:192.168.2.11) learnt (A=:NS=)
May 22 14:52:42 hostname named[2572]: sysquery: query() No possible A RRs

the ns_forw and hostname learnt items confuse me.

Thank you for your efforts ~

Sameer_Nirmal · ‎05-23-2006

Richard,

The ns_forw query mean name server forward lookup is done for the shown entry in the zone configuration.

Since the concerned entry is not getting queried successfully, query is running against the DNS server (hostname , 192.168.2.11 ?) and there are no records found for A and NS.

So you need to check the DNS zone configuration for ns_forw errors. Refer those files mentioned in named.boot. Check what the ip 192.168.2.11 refers to etc.

Andrey Tumanov · ‎05-23-2006

Hello,

Your system is forwarding queries to a nameserver which cannot provide the needed information.

I recommend you to examine the db.cache
for any incorrect entries that could lead
to some sort of lame delegation.

If your system has direct connectivity to the Internet, you can edit your db.cache file to point directly to several Internet root servers.

After these changes, stop and restart named and the problem should be solved.

Good luck.

Richard Hollenbeck · ‎05-26-2006

Sameer - the hostname i.e the host I'm working with is DNS server (hostname , 192.168.2.11) I left off the actual hostname for privaacy reasons. As for db.cache?? Where is that located and how does one read it?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sysquery: nslookup reports danger ()

sysquery: nslookup reports danger ()