Problem with DNS (UDP) queries

Jez Hancock jez.hancock at munk.nu
Fri Jan 9 15:08:04 PST 2004 

On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd at tern.ru wrote:
> Yes, I had thought about what you wrote.
> Because of this I mentioned that 'I do not want to turn off the "log
> in vain" feature.'
In that case I imagine you'd need to hack the kernel source code to make
it not log vain udp port 53 requests.  I'm fairly sure it's an 'all or
nothing' sysctl mib/flag.

Why do you want to log those vain connection attempts using
'log_in_vain' though? It would be a lot more suitable to use the
logging feature in ipfw2 and disable the log_in_vain feature completely.

Just my opinion though :P

> JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd at tern.ru wrote:
> >> Hi all
> >> 
> >> I am trying to get rid of strings:
> >>  kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53
> >> on my console and in log file
> >> 
> >> I understand that those are replies on DNS queries that for some reason
> >>  took too long time to be answered.
> >> I do not want to turn off the "log in vain" feature.
> >> 
> >> As these strings fill up my log I am afraid to miss some sensitive
> >> messages (e.g. hacker's attack :)
> >> 
> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both 
> >>                 DNS queries and DNS replies.
> >> 
> >> The main application that generates queries is sendmail.
> >> 
> >> What can be done?
> JH> I believe those messages are generated if the following sysctl flag is
> JH> set:
> 
> JH> net.inet.udp.log_in_vain
> 
> JH> you can disable it by executing:
> 
> JH> sysctl net.inet.udp.log_in_vain=0
> 
> JH> on the commandline.
> 
> JH> Obviously though this will disable logging of all vain connection attempts using
> JH> the udp protocol.  However if you have ipfw set up to log such attempts,
> JH> you don't really need that sysctl flag set anyway.
> 
> JH> See also the tcp equivalant flag:
> 
> JH> net.inet.tcp.log_in_vain
> 
> JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf
> JH> setting.
> 
> Alex.
>                             
> 

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
http://jez.hancock-family.com/  - personal weblog
http://ipfwstats.sf.net/        - ipfw peruser traffic logging

More information about the freebsd-security mailing list