freebsd security - Jan 2004 - Problem with DNS (UDP) queries

Hi all

I am trying to get rid of strings:
 kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53
on my console and in log file

I understand that those are replies on DNS queries that for some reason
 took too long time to be answered.
I do not want to turn off the "log in vain" feature.

As these strings fill up my log I am afraid to miss some sensitive
messages (e.g. hacker's attack :)

I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both 
                DNS queries and DNS replies.

The main application that generates queries is sendmail.

What can be done?
I've found a lot of similar questions at google but there was no a single
answer.

I'd be happy, for example, to increase the FreeBSD resolver timeout but
 I do not want to change any source code.

Thank you for your attention.

Alex



  





 --
? ?????????,
????????? ???????

???????????? ?????? ??????????? ????????? 
???????? ????

???.: +7 (095) 235-0920/0954/0851, 234-9885
????: +7 (095) 235-3381
www.tern.ru

On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru
wrote:
> Hi all
> 
> I am trying to get rid of strings:
>  kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53
> on my console and in log file
> 
> I understand that those are replies on DNS queries that for some reason
>  took too long time to be answered.
> I do not want to turn off the "log in vain" feature.
> 
> As these strings fill up my log I am afraid to miss some sensitive
> messages (e.g. hacker's attack :)
> 
> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both 
>                 DNS queries and DNS replies.
> 
> The main application that generates queries is sendmail.
> 
> What can be done?
I believe those messages are generated if the following sysctl flag is
set:

net.inet.udp.log_in_vain

you can disable it by executing:

sysctl net.inet.udp.log_in_vain=0

on the commandline.

Obviously though this will disable logging of all vain connection attempts using
the udp protocol.  However if you have ipfw set up to log such attempts,
you don't really need that sysctl flag set anyway.

See also the tcp equivalant flag:

net.inet.tcp.log_in_vain

also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf
setting.

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/
http://jez.hancock-family.com/  - personal weblog
http://ipfwstats.sf.net/        - ipfw peruser traffic logging