-1

What is the cause, and how can I stop this request on example.com from my ip (xxx.xxx.xxx.xxx) being continually repeated in /var/log/syslog?

Apr 14 20:37:10 example.com named[1663]: client xxx.xxx.xxx.xxx#35295: query (cache) 'google.com/TXT/IN' denied

The server is a simple mail relay with postfix on Debian and I cannot find related actions in any logs, so fear it is an intrusion attempt.

aseq
  • 4,610
  • 1
  • 24
  • 48
Ole Juul
  • 1
  • 2
  • Thanks Jenny. I am indeed not working in a business environment, but didn't see any server related expertise in Super User or Stack Overflow. To me there is no particular difference in running servers for money and running them for free, but If you think it is better that I use those other boards for postfix minutiae then I gladly will. Can you move this topic there? – Ole Juul Apr 15 '15 at 10:06

2 Answers2

1

named is the process name used by the Bind DNS server which can be configured to operate as either authoritative DNS server, recursive resolver, both, or even just a cache between client and recursive resolver.

The log message indicates that named has received a DNS query from the specified IP address and that named has refused to answer it. A response will be sent to the client indicating that the query was refused by your server.

The log line in your question is indication of a client looking for open resolvers. If you are running an authoritative only DNS server, those log lines are normal and harmless.

If all you want to run is a mail server and you don't need a DNS server on this host, then you should disable named.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • The DNS query is from this same server and the queries are constant and uncorrelated with events known to me. The purpose of the server is simply to forward my mail using postfix. No database. It looks like the bind service is intricately connected to postfix because the syslog file now has none of the earlier lines (as expected), but more importantly contains completely different information that was not being logged before. How bind and postfix are connected in this case, I still don't know. – Ole Juul Apr 15 '15 at 08:26
  • @OleJuul I had misread postfix as postgres. I have changed one word in my answer. And those DNS queries don't have to be correlated with anything. It is just background noise. Everybody receive such queries but most people just don't notice because they have nothing listening on that port. – kasperd Apr 15 '15 at 08:53
-2

Who?

named

The number between the brackets is the PID also (here 1663).

Why?

named wants to query something and is forbidden by Google. You certainly have something awry in your setup. It may help us a bit to see that setup (now that you know it is named...)

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
  • I do see that this is from named (bind), but those configuration files are untouched from default installation (confirmed by date) . My configuration is limited to /etc/postfix/main.cf. Before I waste space here, could you suggest which setup description of named I should post? – Ole Juul Apr 15 '15 at 02:32
  • Hmmm... Some of the features in postfix require converting IP addresses to their corresponding names. If that does not match the data in the email header, then postfix refuses the mail (I suppose that postfix also check whether there is an MX entry, but I'm not positive about that one). So, postfix makes use of `named` for that. Now if you use the stock version unchanged settings, we already know what you have in there so no need to post those. – Alexis Wilke Apr 15 '15 at 02:38
  • Actually, if you are not changing anything to named, you should try without it. Either completely uninstall (`apt-get remove bind`) since you did not change anything or at least turn it off (`service bind9 stop`) and see whether Postfix works as expected. You should not run servers that you do not use. Plus, like I at least tried to say, the default named is setup for your network, not Google's network. – Alexis Wilke Apr 15 '15 at 02:56
  • Your answers do get me a little closer. Since this is for a personal mail relay only, I've taken it a little at a time and as a learning experience. That means that I have not set up an MX entry or rDNS yet. It works as is, and I've only encountered being blocked from one small-time mail server - even Gmail accepts my mail. I installed this on a small VPS and currently cannot edit those items because of a problem with their VM control panel. Should I then assume that MX and rDNS is the source of the problem and leave things the way they are until I can set those up? – Ole Juul Apr 15 '15 at 03:01
  • OK. I stopped the service. It appears that bind is the only thing logged to /var/log/syslog. Here is what got added to that file: – Ole Juul Apr 15 '15 at 03:10
  • OK. I stopped the service. It appears that bind is the only thing logged to /var/log/syslog. Here is a part of what got added to that file. The board won't allow more: `Apr 14 23:05:53 mydomain named[1663]: no longer listening on ::#53 Apr 14 23:05:53 mydomain named[1663]: no longer listening on 127.0.0.1#53 Apr 14 23:05:53 mydomain named[1663]: no longer listening on 127.0.0.2#53 Apr 14 23:05:53 mydomain named[1663]: no longer listening on xxx.xxx.xxx.xxx#53 Apr 14 23:05:53 mydomain named[1663]: no longer listening on xxx.xxx.xxx.xxx#53` – Ole Juul Apr 15 '15 at 03:16
  • `named wants to query something and is forbidden by Google. `. That's wrong. Someone wants to lookup `google.com` and is forbidden by the `named` config. And if you need to run a DNS server and don't want an open resolver (and you shouldn't...), this is also pretty normal and not a problem. But don't run a DNS server if you don't really need it.... – Sven Apr 15 '15 at 07:34