Security Basics: Re: Wierd named log..

[blade- <blade- () crytec net>]

I had this to and got help off the bind mailing list, here is the responce:

Just an addition: I've seen the same errors on our servers and I =
wondered where these request come from. Upon stracing 'named' I found =
out that it spits out these warnings when trying to look up anything =
from 'relays.monkeys.com', a now defunct DNS based black list.

Evidently they tried to blackhole all dnsbl queries to their db to make =
people stop using their defunct service:

------
# dig @66.60.159.24 relays.monkeys.com NS              =20

relays.monkeys.com.     86400   IN      NS      =
bogus-maximus.monkeys.com.

;; ADDITIONAL SECTION:
bogus-maximus.monkeys.com. 86400 IN     A       244.254.254.254
------

They changed the NS record to this bogus IP recently, that's why people =
start seeing these errors.

Of cource, as Mark pointed out, the right solutions is to filter =
240.0.0.0/4 entirely. If you cannot filter for some reason then you =
still could add "relays.monkeys.com" as a primary zone with no data =
(except SOA + NS) in it and your problems are gone 


John Pennington wrote:

> In-Reply-To: <00c301c3f1b4$3239ec50$0201000a () wlsn002>
>
>
>  
>
> > I just noticed today a strange msg that keeps showing up in my log files,
> > that only started today, but is constantly happening.. any info you could
> > give me would be greatly apreciated :)
> >
> > Here is the snip from the log..
> >
> > Feb 12 14:51:51 ns1 named[3496]: socket.c:1100: unexpected error:
> > Feb 12 14:51:51 ns1 named[3496]: internal_send: 244.254.254.254#53: Invalid
> > argument
> > Feb 12 14:51:52 ns1 named[3496]: socket.c:1100: unexpected error:
> > Feb 12 14:51:52 ns1 named[3496]: internal_send: 244.254.254.254#53: Invalid
> > argument
> > Feb 12 14:51:52 ns1 named[3496]: socket.c:1100: unexpected error:
> > Feb 12 14:51:52 ns1 named[3496]: internal_send: 244.254.254.254#53: Invalid
> > argument
> >
> > ~Chris~
> >    
> Upon checking our servers, I find all our four servers are recording this error too, only in the last few days
>
> --
> JP
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ----------------------------------------------------------------------------
>
>  
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------