[Logcheck-devel] Bug#443908: /etc/logcheck/ignore.d.server/bind: [bind] unexpected RCODE (NOTIMP)
Frédéric Brière
fbriere at fbriere.net
Tue Sep 25 03:09:10 UTC 2007
On Mon, Sep 24, 2007 at 06:55:34PM -0400, Justin Pryzby wrote:
> Aren't some of these worth reporting? eg. REFUSED and NOTAUTH are
> probably okay for a workstation.
But regardless of whether that would be better or not, you can't let
them through at workstation level without opening the floodgates at
server level, can you?
> The bind message says "Unexpected" so should these really be filtered?
Short answer: I would argue so. (But see below.)
Long answer: These error messages indicate a misconfiguration of someone
else's server. What typically happens is that a spammer sends his crap
to your SMTP server, you try to resolve the SMTP FROM domain, and you
either end up connecting to the spammer's crummy DNS server, or the
spammer merely wanted his domain to exist and is listing someone else's
DNS server as his NS.
To give you an idea, I manage a small server for 2-3 domains, and I get
about 50 REFUSED per day. It must *suck* on a big server.
As someone else pointed out, if you're having trouble resolving a
hostname, you're much more likely to use host/dig than to look through
your syslog. So these messages are pretty much useless.
You may argue, though, that the proper response is not to filter them
out with logcheck, but rather to turn off BIND's lame-servers logging.
(Which I just did, actually. That's almost a third of my syslog right
there.) I don't really have an opinion on that matter, though.
--
<maswan> Joy: Lets fork cat! :)
<maswan> Joy: imagine a big pitchfork and a dead kitten on top of
it.. with blood running down..
More information about the Logcheck-devel
mailing list