[67569] in North American Network Operators' Group
Re: Interesting BIND error
daemon@ATHENA.MIT.EDU (Vinny Abello)
Thu Feb 12 17:50:11 2004
Date: Thu, 12 Feb 2004 17:47:15 -0500
To: "Brian Bruns" <bruns@2mbit.com>
From: Vinny Abello <vinny@tellurian.com>
Cc: "Brian Wallingford" <brian@meganet.net>, nanog@merit.edu
In-Reply-To: <1821.172.145.135.129.1076625112.squirrel@172.145.135.129>
Errors-To: owner-nanog-outgoing@merit.edu
At 05:31 PM 2/12/2004, Brian Bruns wrote:
>On Thu, February 12, 2004 4:52 pm, Brian Wallingford said:
> >
> > We've been seeing the following on all of our (9.2.1) authoritative
> > nameservers since approximately 10am today. Googling has turned up
> > nothing; I'm currently trying to glean some useful netflow data. Just
> > wondering if this is local, or if others have suddenly seen the same.
> >
> > Seems harmless enough, but the logging is eating a disproportionate amount
> > of cpu.
> >
> >
> > Feb 12 16:25:07 ns1 named[3150]: internal_send: 244.254.254.254#53:
> > Invalid argument
>
>
>Its possible that someone is spoofing UDP packets to your nameserver from
>that IP range (which is IANA reserved space). It looks like BIND is
>refusing to send to that address, and thus the error.
>
>At least, IMHO. So I could be wrong :)
Someone is likely using relays.monkeys.com on their mail server which is
resolving against your DNS server. It is a now defunct blacklist. They
changed all their records to resolve to 244.254.254.254 in order to get
people's attention and get them to stop using the service. You should
filter 240.0.0.0/4 on your BIND servers anyway. Alternatively, you can just
create an authoritative zone for relays.monkeys.com on your servers and
leave them blank except for required records like SOA and NS. There is a
small discussion going on about this on the bind9-users list and this
information is strictly pulled from there. You might want to check that
list out or similar ones for more information.
Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and
those that don't.
