From owner-freebsd-questions Sun Oct 14 0:25: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id A7F9237B403 for ; Sun, 14 Oct 2001 00:25:03 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.139.8.Dial1.SanJose1.Level3.net [209.247.139.8]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA13162; Sun, 14 Oct 2001 00:25:02 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9E7P0k00723; Sun, 14 Oct 2001 00:25:00 -0700 (PDT) (envelope-from cjc) Date: Sun, 14 Oct 2001 00:25:00 -0700 From: "Crist J. Clark" To: Kory Hamzeh Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Repeating message from bind Message-ID: <20011014002500.B321@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <000001c1545e$4fd4f520$14ce21c7@avatar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c1545e$4fd4f520$14ce21c7@avatar.com>; from kory@avatar.com on Sat, Oct 13, 2001 at 08:14:18PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Oct 13, 2001 at 08:14:18PM -0700, Kory Hamzeh wrote: > > When I upgraded one of our servers from FBSD 2.2.2 to RELEASE-4.3, I get the > following message from bind every 10 to 20 seconds with the source port > increasing: > > Oct 11 22:18:49 ns1 named[205]: denied update from [24.2.30.138].13046 for > "avatar.com" > > "avatar.com" is our domain. 24.2.30.138 seems to be a part of the home.com > domain, but they are not my ISP. The interesting thing is that one of my > secondaries is a part of home.com, but he doesn't have any problems doing > zone transfers. > > What does this message mean and how do I go about dealing with this? It if > filling up the log files. I'm running named 8.2.3-REL. IIRC, this sounds like some fun new behavior from our friends in Redmond and their Windows 2000 product. As for stopping it, there is not a whole lot you can do to actually stop the remote machine from doing this. I see three obvious possibilities. You can allow the updates, but since you don't seem to know who this is, you probably do not want to do that. You can firewall that machine and port, but you need to put a firewall machine in between or enable firewalling on the DNS machine. Or you can fiddle with syslog.conf(5). Personally, I would try to find out who this 24.2.30.138 is (it might be someone who has configured their machine to think it belongs in avatar.com for some legit or semi-legit reason and just needs help properly configuring their machine), and just live with the annoying logs (fgrep -v 'denied update from [24.2.30.138]' /var/log/named.log). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message