HPE Community
Operating System - Tru64 Unix
1831482 Members
3791 Online
110025 Solutions
New Discussion

Re: DNS daemon message?

 
Jefferson_6
Frequent Advisor

‎09-28-2005 12:23 PM

‎09-28-2005 12:23 PM

DNS daemon message?

Hi guys,
I dont know if its an alarming message.I just got this everyday on my mails for root. Is this a problem ?

Formatted Message:
EVM daemon: High event activity - exceeds 500 in 3 minutes

Event Data Items:
Event Name : sys.unix.evm.daemon.event_activity
Priority : 600
PID : 162
PPID : 1
Event Id : 84326
Timestamp : 21-Sep-2005 09:23:40
Host IP address : 66.187.x.x
Host Name : hostname.mydomain.com
User Name : root
Format : EVM daemon: High event activity - exceeds $count in
$period minutes
Reference : cat:evmexp.cat:100

Variable Items:
count (INT32) = 500
period (INT32) = 3
0 Kudos
11 REPLIES 11
Venkatesh BL
Honored Contributor

‎09-28-2005 04:41 PM

‎09-28-2005 04:41 PM

Re: DNS daemon message?

Looks like the system is generating a lot of events (dunno of what kind)...
What does the /var/adm/syslog.dated/current/daemon.log file say?. Also, check the /var/adm/messages file.
0 Kudos
Jefferson_6
Frequent Advisor

‎09-28-2005 04:53 PM

‎09-28-2005 04:53 PM

Re: DNS daemon message?

here's the ouput of my /var/adm/syslog.dated/current/daemon.log
im running a dns server here

Sep 29 13:01:40 angeles named[79209]: unapproved query from [202.147.29.196].531 51 for "164.151.161.68.in-addr.arpa"
Sep 29 13:01:40 angeles last message repeated 2 times
Sep 29 13:01:41 angeles named[79209]: unapproved query from [203.131.131.35].262 7 for "pwn.endtheracism.info"
Sep 29 13:01:43 angeles named[79209]: unapproved query from [203.131.131.35].262 9 for "pwn.endtheracism.info"
Sep 29 13:01:43 angeles named[79209]: unapproved query from [203.131.131.35].102 5 for "software-files.download.com"
Sep 29 13:01:43 angeles named[79209]: unapproved query from [203.131.131.35].177 4 for "teenspicy.com"
Sep 29 13:01:44 angeles named[79209]: unapproved query from [203.131.131.35].178 6 for "ern.nnctx.com.ru"
Sep 29 13:01:44 angeles named[79209]: unapproved query from [203.131.131.35].178 9 for "pwn.nauf.info"
Sep 29 13:01:44 angeles named[79209]: unapproved query from [203.131.131.35].179 0 for "0.0.29.13"
Sep 29 13:01:45 angeles named[79209]: unapproved query from [203.131.131.35].263 1 for "pwn.endtheracism.info"
0 Kudos
Venkatesh BL
Honored Contributor

‎09-28-2005 05:14 PM

‎09-28-2005 05:14 PM

Re: DNS daemon message?

So, this could be the problem. You may have to investigate as to why named is spilling out this message.
0 Kudos
Jefferson_6
Frequent Advisor

‎09-28-2005 05:52 PM

‎09-28-2005 05:52 PM

Re: DNS daemon message?

I only allow my network to query my dns. That's why maybe i get those unapproved query. Or its the other way around ? Any ideas on how to lessend this ? or will this affect my system or its ok to have this kind of logs ?
0 Kudos
Venkatesh BL
Honored Contributor

‎09-28-2005 05:57 PM

‎09-28-2005 05:57 PM

Re: DNS daemon message?

check the system names shown in the log output. Are those systems on your network?. Looks fishy to me.
0 Kudos
Jefferson_6
Frequent Advisor

‎09-28-2005 06:00 PM

‎09-28-2005 06:00 PM

Re: DNS daemon message?

none of those ip address or names on my network.what will i do with this? both my primary and master has the same message. I only encountered this when i put allow-query and allow-recursion accessible only to my network.
0 Kudos
Venkatesh BL
Honored Contributor

‎09-28-2005 06:26 PM

‎09-28-2005 06:26 PM

Re: DNS daemon message?

I am not sure about the cause for this behaviour. I googled with "unapproved query from" and got many hits. May be you could browse through them.
0 Kudos
Al Licause
Trusted Contributor

‎09-29-2005 03:08 AM

‎09-29-2005 03:08 AM

Re: DNS daemon message?

If you disallow queries from specific clients, then each time one of those clients attempts to query your name server for any type of information, it will log one of those events.

Are you authoritative for a public or private domain ?

I haven't investigated whether or not you can exhibit any more control on the type of queries that come in but this might be a starting point. If you are going to limit queries that your name server will honor then expect this type of event volume.
0 Kudos
Jefferson_6
Frequent Advisor

‎09-29-2005 12:55 PM

‎09-29-2005 12:55 PM

Re: DNS daemon message?

Yes im authoratative for some domains. My concern only if this logs kept growing and may eventually affects my servers. Ive adjusted the activity event to 1500.
0 Kudos
Mark Poeschl_2
Honored Contributor

‎09-30-2005 02:26 AM

‎09-30-2005 02:26 AM

Re: DNS daemon message?

EVM events may not appear in any logs and log entries such as you're seeing for your DNS server don't necessarily correlate to EVM events. The DNS issue discussed in previous replies may well be your issue, but to be sure you need to check EVM itself. To go "straight to the horse's mouth" for EVM activity:

# evmget -f "[Time 2005:9:21:*:9-10:*:*]" | evmsort | evmshow -D > myfile.out

This command string will gather up all the EVM events occuring between 0900 and 1000 on Sept 21st and put the ASCII description of them into 'myfile.out'.

I have noticed that 'cron' in particular became much more "chatty" in producing EVM events since 5.1A PK5 and later. I haven't found a way to throttle that chattiness back and find that we get that 'event_activity' event a few times a day.
0 Kudos
Joseph P. Smith
Regular Advisor

‎09-30-2005 04:00 AM

‎09-30-2005 04:00 AM

Re: DNS daemon message?

You may be experiencing symptoms of malware/virus attack. See:

http://de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=WORM_RBOT.ZAD

Joe S.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.