Problem with DNS (UDP) queries
freebsd at tern.ru
freebsd at tern.ru
Mon Jan 12 00:08:59 PST 2004
Maybe you are right.
I'll try to set it up (switch to logging via ipfw) and see if there is
something that I do not like in this config. Don't know why, I feel
some discomfort while thinking about this solution.
JH> On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd at tern.ru wrote:
>> Yes, I had thought about what you wrote.
>> Because of this I mentioned that 'I do not want to turn off the "log
>> in vain" feature.'
JH> In that case I imagine you'd need to hack the kernel source code to make
JH> it not log vain udp port 53 requests. I'm fairly sure it's an 'all or
JH> nothing' sysctl mib/flag.
JH> Why do you want to log those vain connection attempts using
JH> 'log_in_vain' though? It would be a lot more suitable to use the
JH> logging feature in ipfw2 and disable the log_in_vain feature completely.
JH> Just my opinion though :P
>> JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd at tern.ru wrote:
>> >> Hi all
>> >>
>> >> I am trying to get rid of strings:
>> >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53
>> >> on my console and in log file
>> >>
>> >> I understand that those are replies on DNS queries that for some reason
>> >> took too long time to be answered.
>> >> I do not want to turn off the "log in vain" feature.
>> >>
>> >> As these strings fill up my log I am afraid to miss some sensitive
>> >> messages (e.g. hacker's attack :)
>> >>
>> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both
>> >> DNS queries and DNS replies.
>> >>
>> >> The main application that generates queries is sendmail.
>> >>
>> >> What can be done?
>> JH> I believe those messages are generated if the following sysctl flag is
>> JH> set:
>>
>> JH> net.inet.udp.log_in_vain
>>
>> JH> you can disable it by executing:
>>
>> JH> sysctl net.inet.udp.log_in_vain=0
>>
>> JH> on the commandline.
>>
>> JH> Obviously though this will disable logging of all vain connection attempts using
>> JH> the udp protocol. However if you have ipfw set up to log such attempts,
>> JH> you don't really need that sysctl flag set anyway.
>>
>> JH> See also the tcp equivalant flag:
>>
>> JH> net.inet.tcp.log_in_vain
>>
>> JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf
>> JH> setting.
>>
>> Alex.
>>
>>
Alex.
More information about the freebsd-security
mailing list