Problem with DNS (UDP) queries
Jez Hancock
jez.hancock at munk.nu
Fri Jan 9 15:08:04 PST 2004
On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd at tern.ru wrote:
> Yes, I had thought about what you wrote.
> Because of this I mentioned that 'I do not want to turn off the "log
> in vain" feature.'
In that case I imagine you'd need to hack the kernel source code to make
it not log vain udp port 53 requests. I'm fairly sure it's an 'all or
nothing' sysctl mib/flag.
Why do you want to log those vain connection attempts using
'log_in_vain' though? It would be a lot more suitable to use the
logging feature in ipfw2 and disable the log_in_vain feature completely.
Just my opinion though :P
> JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd at tern.ru wrote:
> >> Hi all
> >>
> >> I am trying to get rid of strings:
> >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53
> >> on my console and in log file
> >>
> >> I understand that those are replies on DNS queries that for some reason
> >> took too long time to be answered.
> >> I do not want to turn off the "log in vain" feature.
> >>
> >> As these strings fill up my log I am afraid to miss some sensitive
> >> messages (e.g. hacker's attack :)
> >>
> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both
> >> DNS queries and DNS replies.
> >>
> >> The main application that generates queries is sendmail.
> >>
> >> What can be done?
> JH> I believe those messages are generated if the following sysctl flag is
> JH> set:
>
> JH> net.inet.udp.log_in_vain
>
> JH> you can disable it by executing:
>
> JH> sysctl net.inet.udp.log_in_vain=0
>
> JH> on the commandline.
>
> JH> Obviously though this will disable logging of all vain connection attempts using
> JH> the udp protocol. However if you have ipfw set up to log such attempts,
> JH> you don't really need that sysctl flag set anyway.
>
> JH> See also the tcp equivalant flag:
>
> JH> net.inet.tcp.log_in_vain
>
> JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf
> JH> setting.
>
> Alex.
>
>
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
http://jez.hancock-family.com/ - personal weblog
http://ipfwstats.sf.net/ - ipfw peruser traffic logging
More information about the freebsd-security
mailing list