Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Lots of UDP traffice, where does it come from?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Crimson Rider
Guru
Guru


Joined: 23 Jun 2003
Posts: 462
Location: Delft, the Netherlands
PostPosted: Sun Feb 03, 2008 11:54 am    Post subject: Lots of UDP traffice, where does it come from? Reply with quote
For some reason my Gentoo server started to deal in UDP name server traffic more and more and more, and I can't trace the reason why it's doing that.
I am DNS host for three specific, low usage domains, but for some reason I get requests constantly for resolving stuff.

Here is a log snippet;

Code:

│ UDP (72 bytes) from 192.168.1.10:49473 to 192.168.1.254:53 on eth0                                                                        │
│ UDP (72 bytes) from 192.168.1.10:49474 to 192.168.1.254:53 on eth0                                                                        │
│ UDP (112 bytes) from 192.168.1.254:53 to 192.168.1.10:49474 on eth0                                                                       │
│ UDP (129 bytes) from 58.152.167.123:61397 to 192.168.1.10:8456 on eth0                                                                    │
│ ICMP dest unrch (port) (157 bytes) from 192.168.1.10 to 58.152.167.123 on eth0                                                            │
│ UDP (73 bytes) from 192.168.1.10:49474 to 192.168.1.254:53 on eth0                                                                        │
│ UDP (129 bytes) from 86.72.190.163:21775 to 192.168.1.10:8456 on eth0                                                                     │
│ ICMP dest unrch (port) (157 bytes) from 192.168.1.10 to 86.72.190.163 on eth0                                                             │
│ UDP (72 bytes) from 192.168.1.10:49476 to 192.168.1.254:53 on eth0                                                                        │
│ UDP (120 bytes) from 192.168.1.254:53 to 192.168.1.10:49473 on eth0                                                                       │
│ UDP (90 bytes) from 81.152.215.50:53397 to 192.168.1.10:8456 on eth0                                                                      │
│ ICMP dest unrch (port) (118 bytes) from 192.168.1.10 to 81.152.215.50 on eth0                                                             │
│ UDP (72 bytes) from 192.168.1.10:49477 to 192.168.1.254:53 on eth0                                                                        │
│ UDP (115 bytes) from 192.168.1.254:53 to 192.168.1.10:49476 on eth0                                                                       │
│ UDP (133 bytes) from 192.168.1.254:53 to 192.168.1.10:49477 on eth0                                                                       │
│ UDP (115 bytes) from 192.168.1.254:53 to 192.168.1.10:49474 on eth0                                                                       │
│ UDP (136 bytes) from 192.168.1.254:53 to 192.168.1.10:49472 on eth0                       



Is there any way to reconfigure named to only answer requests for the domains it's autherative for ?
_________________
Code, justify, code - Pitr Dubovich
Back to top
View user's profile Send private message
darkgentoo
n00b
n00b


Joined: 03 Feb 2008
Posts: 2
Location: Germany
PostPosted: Sun Feb 03, 2008 12:12 pm    Post subject: Reply with quote
Please give some more information about your network. Your box uses private IP addresses, so it might either be NATed or itself the router.

1.) Should it really be reachable from the outside world?
2.) What's your named configuration?
Back to top
View user's profile Send private message
Crimson Rider
Guru
Guru


Joined: 23 Jun 2003
Posts: 462
Location: Delft, the Netherlands
PostPosted: Mon Feb 04, 2008 11:12 am    Post subject: Reply with quote
The Box is supposed to be reachable, it's a legit name server, I just have the feeling it's being used by external clients for a lot of requests for wich it is not the auth. provider.

The recursion option is new, I hope that that fixes it a bit.

The config is like this:

Code:

ruby ~ # cat /etc/bind/named.conf
acl internal { 192.168.40.0/24; 192.168.1.0/24; 127.0.0.1; 192.168.40.50; };

options {
        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,
        // and change the forwarind ip address(es) :
        //forward first;
        //forwarders {
        //      195.96.96.97
        //      195.96.96.30;
        //};

        listen-on-v6 { none; };
        listen-on { 192.168.40.10; };
        listen-on { 127.0.0.1; };
        listen-on { 192.168.1.10; };
        listen-on { ********* };

        //recursion no;
        allow-recursion { internal; };

        // to allow only specific hosts to use the DNS server:
        //allow-query {
        //      127.0.0.1;
        //};

        // if you have problems and are behind a firewall:
        //query-source address * port 53;
        pid-file "/var/run/named/named.pid";
};


_________________
Code, justify, code - Pitr Dubovich
Back to top
View user's profile Send private message
andreas_st
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2007
Posts: 112
Location: 48N 16E
PostPosted: Mon Feb 04, 2008 12:42 pm    Post subject: Reply with quote
If you want to know what's going on in your name server, configure the logging so that you can see the queries. I'm usually using the following in named.conf:
Code:
logging {
        channel my_default_channel {
                file "/var/log/named/default" versions 2 size 1M ;
                severity info; print-time yes; };
        category default { my_default_channel; };
        channel my_config_channel {
                file "/var/log/named/config" versions 2 size 1M ;
                severity info; print-time yes; };
        category config { my_config_channel; };
        channel my_general_channel {
                file "/var/log/named/general" versions 2 size 1M ;
                severity info; print-time yes; };
        category general { my_general_channel; };
        channel my_queries_channel {
                file "/var/log/named/queries" versions 8 size 1M ;
                severity info; print-time yes; };
        category queries { my_queries_channel; };
//        category queries { null; };
        channel my_lame-servers_channel {
                file "/var/log/named/lame-servers" versions 2 size 1M ;
                severity info; print-time yes; };
//        category lame-servers { my_lame-servers_channel; };
        category lame-servers { null; };
        channel my_client_channel {
                file "/var/log/named/client" versions 2 size 1M ;
                severity info; print-time yes; };
        category client { my_client_channel; };
        channel my_dnssec_channel {
                file "/var/log/named/dnssec" versions 2 size 1M ;
                severity info; print-time yes; };
        category dnssec { my_dnssec_channel; };
        channel my_network_channel {
                file "/var/log/named/network" versions 2 size 1M ;
                severity info; print-time yes; };
        category network { my_network_channel; };
        channel my_resolver_channel {
                file "/var/log/named/resolver" versions 2 size 1M ;
                severity info; print-time yes; };
        category resolver { my_resolver_channel; };
        channel my_xfer-in_channel {
                file "/var/log/named/xfer-in" versions 2 size 1M ;
                severity info; print-time yes; };
        category xfer-in { my_xfer-in_channel; };
        channel my_xfer-out_channel {
                file "/var/log/named/xfer-out" versions 2 size 1M ;
                severity info; print-time yes; };
        category xfer-out { my_xfer-out_channel; };
        channel my_database_channel {
                file "/var/log/named/database" versions 2 size 1M ;
                severity info; print-time yes; };
        category database { my_database_channel; };
        channel my_notify_channel {
                file "/var/log/named/notify" versions 2 size 1M ;
                severity info; print-time yes; };
        category notify { my_notify_channel; };
        channel my_security_channel {
                file "/var/log/named/security" versions 2 size 1M ;
                severity info; print-time yes; };
        category security { my_security_channel; };
        channel my_update_channel {
                file "/var/log/named/update" versions 2 size 1M ;
                severity info; print-time yes; };
        category update { my_update_channel; };
};
Don't forget to turn off query logging later.
_________________
Registered Linux user #62727
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy