I've been playing with MessageWall on one of our systems, and I
noticed that we've been getting a lot of messages like:

  Connection attempt to UDP <our-ip>:<port-above-1024> from <ip-addr-in-resolv.conf>:53

in our logs. I have log_in_vain="YES" in my /etc/rc.conf, which sets:

   net.inet.tcp.log_in_vain: 1
   net.inet.udp.log_in_vain: 1

After a little work with tcpdump, these are queries of the black hole
lists (openrbl.org) that MessageWall does. For speed (and security?),
MessageWall uses the FireDNS library to do DNS queries. After a little
more digging, I found that I can reproduce these messages by using the
fdnsip command that comes with FireDNS.

Everything seems to work just fine, the queries work, and return what
you expect.

It seems that I can virtually eliminate these messages by removing all
but one host from my /etc/resolv.conf, not a solution that I'm keen
on.

Has anybody else noticed this, and is there a solution other than
"Ignore those log messages" or "Unset net.inet.udp.log_in_vain"? (Both
of these solutions /are/ fairly reasonable.)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]