Здравствуйте!
Недавно решил поднять кэширующий ДНС-сервер. Собственно говоря, по самой процедуре вопросов особых не возникло. На первый взгляд всё заработало. Но есть одна проблема: логи буквально за считаные минуты разрастаются до огромных размеров. И записи в них вот такого содержания:
Код: Выделить всё
error (unexpected RCODE SERVFAIL) resolving '211.70.191.186.IN-ADDR.ARPA/PTR/IN': 170.51.242.18#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '55.186.136.89.in-addr.arpa/PTR/IN': 194.102.255.3#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving 'www.realfit.ru/A/IN';: 83.170.91.205#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 66.198.145.99#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 193.50.53.3#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 66.198.145.99#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE REFUSED) resolving '200.169.147.120.in-addr.arpa/PTR/IN': 144.135.133.76#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/TXT/IN': 64.207.128.246#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.81.238#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE SERVFAIL) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 193.50.53.3#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.84.206#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 206.82.130.196#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '4.107.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE REFUSED) resolving '55.186.136.89.in-addr.arpa/PTR/IN': 194.102.255.3#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 94.75.223.25#53
error (FORMERR) resolving 'u8lafv05630edji3ui4m2muoms.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE SERVFAIL) resolving '90.53.188.91.in-addr.arpa/PTR/IN': 81.198.180.1#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving '76.96.53.92.in-addr.arpa/PTR/IN': 92.53.98.100#53
error (unexpected RCODE REFUSED) resolving '219.247.28.196.IN-ADDR.ARPA/PTR/IN': 206.82.130.196#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '133.138.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 85.17.79.33#53
error (unexpected RCODE REFUSED) resolving '76.96.53.92.in-addr.arpa/PTR/IN': 92.53.116.200#53
error (unexpected RCODE REFUSED) resolving 'www.7dvd.ru/A/IN';: 89.108.104.3#53
error (unexpected RCODE SERVFAIL) resolving 'www.7dvd.ru/A/IN';: 89.108.64.2#53
error (unexpected RCODE REFUSED) resolving '247.237.38.89.IN-ADDR.ARPA/PTR/IN': 82.79.33.10#53
error (unexpected RCODE SERVFAIL) resolving '90.53.188.91.in-addr.arpa/PTR/IN': 81.198.180.1#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/A/IN': 70.32.65.137#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.84.206#53
error (FORMERR) resolving 'a296759604eedd6537600849db0595f0f7e9f2537b67cbb4.gcdn.biz/AAAA/IN': 188.40.44.206#53
error (unexpected RCODE REFUSED) resolving '13.145.245.121.IN-ADDR.ARPA/PTR/IN': 202.54.15.30#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '94.141.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '94.141.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/TXT/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE SERVFAIL) resolving 'www.pink-pelikan.ru/A/IN';: 91.142.81.238#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/TXT/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/MX/IN': 158.43.129.77#53
error (unexpected RCODE REFUSED) resolving '39.141.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '39.141.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '140.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving 'medsys.co.uk/A/IN': 158.43.193.77#53
error (unexpected RCODE REFUSED) resolving '26.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 193.104.149.65#53
error (unexpected RCODE SERVFAIL) resolving '32server.bpiconnect.com/A/IN': 217.160.81.164#53
error (unexpected RCODE REFUSED) resolving 'www.newultra.ru/A/IN';: 91.210.6.228#53
error (unexpected RCODE REFUSED) resolving 'topya.ru/A/IN': 77.120.107.131#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/A/IN': 64.207.128.246#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.1#53
error (unexpected RCODE SERVFAIL) resolving '32server.bpiconnect.com/A/IN': 217.160.80.164#53
error (unexpected RCODE REFUSED) resolving 'topya.ru/A/IN': 77.120.107.132#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '32.100.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '224.140.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '32.100.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '167.102.151.90.in-addr.arpa/PTR/IN': 195.38.32.2#53
error (unexpected RCODE REFUSED) resolving '56.143.151.90.in-addr.arpa/PTR/IN': 195.38.33.2#53
error (unexpected RCODE SERVFAIL) resolving 'highschoolemail.com/MX/IN': 70.32.65.137#53
error (unexpected RCODE REFUSED) resolving '21.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving '19.212.120.193.in-addr.arpa/PTR/IN': 192.111.39.4#53
error (unexpected RCODE REFUSED) resolving '125.64-127.111.23.163.in-addr.arpa/PTR/IN': 163.23.111.65#53
error (unexpected RCODE SERVFAIL) resolving '211.70.191.186.IN-ADDR.ARPA/PTR/IN': 170.51.242.18#53
И это лишь маленький кусочек лога. Мне пришлось остановить named, дабы он весь винт не забил своими логами…
Вот конфиг:
Код: Выделить всё
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1;
192.168.199.2; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;
192.168.0.0/16; };
// forwarders { 212.49.118.2;
// 212.49.103.2; };
forwarders { 212.49.103.2;
212.49.118.2; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "_msdcs.egarant.local" {
type slave;
file "_msdcs.egarant.local";
masters { 192.168.199.202;
192.168.199.199; };
};
zone "egarant.local" {
type slave;
file "egarant.local";
masters { 192.168.199.202;
192.168.199.199; };
};
zone "_msdcs.egarant1.local" {
type slave;
file "_msdcs.egarant1.local";
masters { 192.168.1.200;
192.168.1.201; };
};
zone "egarant1.local" {
type slave;
file "egarant1.local";
masters { 192.168.1.200;
192.168.1.201; };
};
include "/etc/named.rfc1912.zones";
Ещё я в файл /etc/sysconfig/named добавил вот такую строчку:
OPTIONS=»-4″
Это чтоб он только ай-пишники v4 кэшировал, а v6 пропускал мимо.
Один мой товарищ написал по этому поводу следующее:
Интересная ситуация…
если смотреть ошибку вида:
error (unexpected RCODE REFUSED) resolving ‘55.186.136.89.in-addr.arpa/PTR/IN’: 194.102.255.3#53
она говорит о том, что твой сервак не может получить ответ на запрос от сервера 194.102.255.3. Если пробовать спросить у этого сервера руками — он действительно ничего не отвечает. То есть, строго говоря, ничего криминального в этом нет…
У меня в логах тоже есть такие ошибки, но их число не превышает 1-2-х десятков за сутки.
Мне кажется тут проблему не в named надо искать, а в том, почему он щемится непонятно куда и спрашивает непонятно что… Причем, обрати внимание, что очень много запросов на обратные зоны…
Может у тебя какой сифилис живет, который и лезет везде подряд, просто named его показал лицом?
Постарайся отловить кто шлет все эти запросы…
Вот в связи с этим и вопрос: Как и с помощью чего можно попытаться отследить этот самый «сифилис»? Дело в том, что пока сервер, где установлен Named, никем не используется в качечестве DNS-сервера. Т.е. рабочие станции к нему пока не обращаются с днс-запросами. Неужели что-то непосредственно с самого сервера куда-то ломится?
Помогите понять причину, пожалуйста.
As specified in RFC 1035, 4.1.1, these RCODEs are:
Response code — this 4 bit field is set as part of responses. The
values have the following interpretation:
2Server failure — The name server was unable to process this query
due to a problem with the name server.
This migth be a communication error. This is exactly why we have multiple DNS servers, if one is temporarily unavailable. If this is permanent, check network connectivity including firewalls, first. It might also be a configuration error. See your logs for further investigation.
5Refused — The name server refuses to perform the specified
operation for policy reasons. For example, a name server may not wish
to provide the information to the particular requester, or a name
server may not wish to perform a particular operation (e.g., zone
transfer) for particular data.
This is most likely an access configuration problem: for some reason you are not allowed to perform the query. In BIND, see options like allow-query or in recursive servers allow-recursion.
A common denominator here is most likely an SMTP server performing DNS based measurements against spam:
PTRqueries forHELOmismatch checks etc.*.dnsbl.sorbs.net. INqueries to check against SORBS Listings. SORBS may refuse queries if there are too many in too short period. Using aggregate zones instead of many separate might help; see Using SORBS.
These entries were parsed from the syslog file on your recursive name server. If there’s no error now (confirmed by e.g. dig 133.61.208.88.dul.dnsbl.sorbs.net @127.0.0.1), it has probably been temporary. The amount of occasions from 1 to 4 times for each also suggests the same.
It’s also possible that the problem was solved immediately by simply moving to the next authoritative name server: there should always be at least two, in case one fails. Because by default only the errors gets logged, there wouldn’t appear a log line telling you this. You could configure your BIND for more verbose logging, but it’s recommend to separate the files per category, as some of the categories are really excessive.
The two categories you would be interested now are resolver and queries (see BIND9 logging). Here’s my sample BIND9 configuration for logging them under /var/log/named/:
logging {
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
};
category resolver { resolver_file; };
category queries { queries_file; };
}
При просмотре журнала системных сообщений попались подозрительные сообщения такого вида:
Apr 18 23:07:18 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.karlag.kz/A/IN’: 212.154.192.10#53
Apr 18 23:07:18 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.karlag.kz/A/IN’: 212.154.192.8#53
Apr 18 23:07:19 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.permski.ru/A/IN’: 217.112.42.15#53
Apr 18 23:07:19 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.permski.ru/A/IN’: 217.112.35.2#53
Apr 18 23:07:19 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.permski.ru/A/IN’: 217.112.37.11#53
Apr 18 23:07:20 comp-Intel-CPU-e427ee named[6009]: unexpected RCODE (REFUSED) resolving ‘www.karlag.kz/A/IN’: 212.154.192.8#53
…
Apr 18 23:07:41 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.memos-software.ru’ (in ‘memos-software.ru’?): 194.226.96.8#53
Apr 18 23:07:42 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.memos-software.ru’ (in ‘memos-software.ru’?): 194.85.61.20#53
Apr 18 23:07:42 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.formes.ru’ (in ‘formes.ru’?): 217.16.20.30#53
Apr 18 23:07:42 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.memos-software.ru’ (in ‘memos-software.ru’?): 193.232.130.14#53
Apr 18 23:07:42 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.formes.ru’ (in ‘formes.ru’?): 217.16.16.30#53
Apr 18 23:07:42 comp-Intel-CPU-e427ee named[6009]: lame server resolving ‘www.formes.ru’ (in ‘formes.ru’?): 217.16.22.30#53
Что они означают, нет ли тут попытки взлома или чего-то подобного?
Записан
Нет — это проблемы вычесления адреса конкретного саййта в DNS.
Записан
Что интересно, я по этим адресам вроде не обращался. Странно. Вытащил эти адреса из системного реестра, пробовал вставлять эти адреса в адресную строку браузера — не находит.
Записан
Это не ваши проблемы — это проблемы DNS более высокого уровня.
Записан
Подозрительно, почему они в моих системных сообщениях, я ведь по этим адресам не обращался? И они сейчас постоянно повторяются в секунду по несколько сообщений появляется.
Записан
Потому, что у вас поднят локальный DNS
>>>Вот («DNS & BIND»,стр.214) :»lame-servers — обнаружение некорректного делегирования». А www.ranker.ru меня
>>>тоже порядком за…….л.
>>
>>
>>Че за книжка?
>Так что с ним делать? Забить? Все логи засраны!поставить в опциях, что сообщения этого типа логгировать не надо
Записан
Спасибо, теперь более-менее понятно.
Записан