From owner-freebsd-questions Sun May 21 20: 1:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.tetronsoftware.com (ns1.tetronsoftware.com [64.217.1.41]) by hub.freebsd.org (Postfix) with ESMTP id 0053A37B54B for ; Sun, 21 May 2000 20:01:43 -0700 (PDT) (envelope-from zeus@tetronsoftware.com) Received: from ns1.tetronsoftware.com (ns1.tetronsoftware.com [64.217.1.41]) by ns1.tetronsoftware.com (8.9.3/8.9.3) with ESMTP id WAA09830 for ; Sun, 21 May 2000 22:01:38 -0500 (CDT) (envelope-from zeus@tetronsoftware.com) Date: Sun, 21 May 2000 22:01:30 -0500 (CDT) From: Gene Harris To: freebsd-questions@freebsd.org Subject: Named NOTIFY strangeness Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am noticing some stangeness whenever I start or restart my named daemon: /usr/sbin/named -u bind -g bind. I am running 3.4-stable updated Friday, cvsup'ed Friday, May 20th. Bind is 8.2.2-P5. The messages log file shows the following: [normal stuff snipped] May 21 16:01:49 ns1 named[8926]: Sent NOTIFY for "blahblah.com IN SOA" (blahblah.com); 1 NS, 1 A May 21 16:02:03 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369 115.119.98.99:53 out via xl0 May 21 16:02:03 ns1 natd[288]: failed to write packet back (Permission denied) May 21 16:02:07 ns1 /kernel: ipfw: 120 Deny UDP aa.bb.cc.dd:2369 115.119.98.99:53 out via xl0 May 21 16:02:07 ns1 natd[288]: failed to write packet back (Permission denied) The notification should be sent to my slave name server at xx.yy.zz.11, but instead is attempting to notify 115.119.98.99. Fortunately, my firewall rules don't like this connection and reject it. My question is, what the heck is going on? I just rebuilt world this weekend (normal cycle for me), and named appears to be correct (not substituted by a root kit version.) I have been reading about poisoned caches, etc., but "ndc restart" does not appear to be clearing my cache. Prior to Friday morning, May 19, 2000 about 04:00 hours CDT, everything was normal. Can someone point me in the right direction? I assume my DNS cache has been corrupted, because my little site was hit by some sort of DNS attack about 10 minutes before the time given above. Many Thanks! Gene Harris Tetron Software, LLC http://www.tetronsoftware.com FreeBSD Apache PostgreSQL Oracle 8/8i Windows 95/98/NT Visual C Visual Basic To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message