what does syslogd want with DNS?

I am running syslogd on my RHL9 box. I noticed in my firewall that its
sending a load of data to 68.87.64.196:52 UDP. I thought that was
rather odd. I checked netstat and I get

udp 0 0 192.168.0.202:33987 ns.inflow.pa.bo.:domain ESTABLISHED
4841/syslogd

and also

unix 13 [] DGRAM 4276 4841/syslogd /dev/log



Well a little more digging and it seems 68.87.64.196 is my DNS server

I didnt know DNS was on udp though, anyway.. What does syslogd want
with DNS? Is it trying to reverse lookup the name of the servers
dumping data into it? If so, any way to satisfy it since these are
local computer addresses like 192.168.x.x.



--
Respectfully,


CL Gilbert

CL (dnoyeB) Gilbert wrote:
> I am running syslogd on my RHL9 box. I noticed in my firewall that its
> sending a load of data to 68.87.64.196:52 UDP. I thought that was
> rather odd. I checked netstat and I get
>
> udp 0 0 192.168.0.202:33987 ns.inflow.pa.bo.:domain ESTABLISHED
> 4841/syslogd
>
> and also
>
> unix 13 [] DGRAM 4276 4841/syslogd /dev/log
>
>
>
> Well a little more digging and it seems 68.87.64.196 is my DNS server
>
> I didnt know DNS was on udp though, anyway.. What does syslogd want
> with DNS? Is it trying to reverse lookup the name of the servers
> dumping data into it? If so, any way to satisfy it since these are
> local computer addresses like 192.168.x.x.
>
>
>

Didn't take long to figure that one out. Yes syslogd is doing reverse
dns lookups of the IP that are trying to log to it. I put an entry in
the /etc/hosts file and the dns over the wire went away.

I wonder how many other apps are doing reverse dns lookups on my local
IP addresses. I know ssh can take a while under certain setups. its
probably doing it too.

--
Respectfully,


CL Gilbert

Hi there


"CL (dnoyeB) Gilbert" wrote:

> CL (dnoyeB) Gilbert wrote:
> > I am running syslogd on my RHL9 box. I noticed in my firewall that its
> > sending a load of data to 68.87.64.196:52 UDP. I thought that was
> > rather odd. I checked netstat and I get
> >
> > udp 0 0 192.168.0.202:33987 ns.inflow.pa.bo.:domain ESTABLISHED
> > 4841/syslogd
> >
> > and also
> >
> > unix 13 [] DGRAM 4276 4841/syslogd /dev/log
> >
> >
> >
> > Well a little more digging and it seems 68.87.64.196 is my DNS server
> >
> > I didnt know DNS was on udp though, anyway..

It does both TCP and UDP.

> > What does syslogd want
> > with DNS? Is it trying to reverse lookup the name of the servers
> > dumping data into it? If so, any way to satisfy it since these are
> > local computer addresses like 192.168.x.x.

Set up your own DNS with your ISP's DNS as forwarder.
Create both a forward and reverse zone for your lan.

> Didn't take long to figure that one out. Yes syslogd is doing reverse
> dns lookups of the IP that are trying to log to it. I put an entry in
> the /etc/hosts file and the dns over the wire went away.
>
> I wonder how many other apps are doing reverse dns lookups on my local
> IP addresses. I know ssh can take a while under certain setups. its
> probably doing it too.

Just about anything net does reverse lookups.


Regards,
Rob
--
+----------------------------------------------------------------------+
| Intensieve Menshouderij |
| http://www.intensievemenshouderij.nl/ |
+----------------------------------------------------------------------+

Rob van der Putten wrote:
> Hi there
>
>
> "CL (dnoyeB) Gilbert" wrote:
>
>
>>CL (dnoyeB) Gilbert wrote:
>>
>>>I am running syslogd on my RHL9 box. I noticed in my firewall that its
>>>sending a load of data to 68.87.64.196:52 UDP. I thought that was
>>>rather odd. I checked netstat and I get
>>>
>>>udp 0 0 192.168.0.202:33987 ns.inflow.pa.bo.:domain ESTABLISHED
>>>4841/syslogd
>>>
>>>and also
>>>
>>>unix 13 [] DGRAM 4276 4841/syslogd /dev/log
>>>
>>>
>>>
>>>Well a little more digging and it seems 68.87.64.196 is my DNS server
>>>
>>>I didnt know DNS was on udp though, anyway..
>
>
> It does both TCP and UDP.
>
>
>>> What does syslogd want
>>>with DNS? Is it trying to reverse lookup the name of the servers
>>>dumping data into it? If so, any way to satisfy it since these are
>>>local computer addresses like 192.168.x.x.
>
>
> Set up your own DNS with your ISP's DNS as forwarder.
> Create both a forward and reverse zone for your lan.
>

dont know what that means. In any event, my ISP changes DNS every so
often. im on dhcp. dont know what forward and reverse zones are either.

you sayin I should run a dns daemon?


--
Respectfully,


CL Gilbert

In the Usenet newsgroup comp.os.linux.networking, in article
<ioadnZ2dnZ3vMhq0nZ2dnVTcYt-dnZ2dRVn-(E-Mail Removed)>,
CL (dnoyeB) Gilbert wrote:

>Rob van der Putten wrote:

>> "CL (dnoyeB) Gilbert" wrote:

>>>>I didnt know DNS was on udp though, anyway..

>> It does both TCP and UDP.

The "normal" DNS is UDP. Only when the reply is larger than 512 bytes
AND when the client wants more than that will TCP be used.

>> Set up your own DNS with your ISP's DNS as forwarder.
>> Create both a forward and reverse zone for your lan.
>
>dont know what that means.

91563 Dec 23 2001 DNS-HOWTO

>In any event, my ISP changes DNS every so often.

"Hey Dave - the traffic on the routers is getting pretty high!"
"Quick George, change the address of the name servers - that will slow 'em
down a bit"

HIGHLY unlikely, even for comcast. How do you find the DNS server? Well,
you ask the DNS server... or you could do a 'whois' lookup, but that
assumes that you know the IP address of the whois server, and you get that
by asking a DNS server. Bottom line - DNS servers do not change addresses
very often. I have three ISPs. None, not one, has changed the addresses of
any of their name servers. My backup ISP has been using the same address
for all seven years that I've been using them. At work, we haven't changed
the addresses of the DNS servers in the _17_years_ that we've been running
them. There is no reason to change the address.

>im on dhcp.

Depending on your distribution, your DHCP client is probably already grabbing
the DNS address from your ISP's DHCP server.

>dont know what forward and reverse zones are either.

See the HOWTO. 'forward' means name to IP, reverse means IP to name. You
need to have both pieces of information.

>you sayin I should run a dns daemon?

Depends on what your systems are being used for. For your local LAN, it
usually means that you need ALL hostnames/addresses in /etc/hosts. IF you
have more than "a handful", it may be desirable to run your own DNS server
that is authoritative for your LAN, and either knows how to do recursion,
or forwards requests to a DNS server that does. Remember that a client
believes the FIRST answer it gets, EVEN IF THE ANSWER IS "I DON'T KNOW",
so any DNS server you use must be able to answer ALL queries. There is
no "ask someone else" response in DNS. You mention using RH9 - look for

1854107 Feb 24 2003 bind-9.2.1-16.i386.rpm
1607734 Feb 24 2003 bind-utils-9.2.1-16.i386.rpm
7361 Feb 24 2003 caching-nameserver-7.2-7.noarch.rpm

on your distribution CDs.

Old guy

Moe Trin wrote:
>>>Set up your own DNS with your ISP's DNS as forwarder.
>>>Create both a forward and reverse zone for your lan.
>>
>>dont know what that means.
>
>
> 91563 Dec 23 2001 DNS-HOWTO
>
>
>>In any event, my ISP changes DNS every so often.
>
>
> "Hey Dave - the traffic on the routers is getting pretty high!"
> "Quick George, change the address of the name servers - that will slow 'em
> down a bit"
>
> HIGHLY unlikely, even for comcast. How do you find the DNS server? Well,
> you ask the DNS server... or you could do a 'whois' lookup, but that
> assumes that you know the IP address of the whois server, and you get that
> by asking a DNS server. Bottom line - DNS servers do not change addresses
> very often. I have three ISPs. None, not one, has changed the addresses of
> any of their name servers. My backup ISP has been using the same address
> for all seven years that I've been using them. At work, we haven't changed
> the addresses of the DNS servers in the _17_years_ that we've been running
> them. There is no reason to change the address.
>

I dont run comcast...


>
>>im on dhcp.
>
>
> Depending on your distribution, your DHCP client is probably already grabbing
> the DNS address from your ISP's DHCP server.
>
>

yes, thats why i mentioned it. occasionally the dns servers have
changed. It may be that they have several and they just rotate who gets
the address to which when they change your IP address. In that case it
wouldn't matter, but I dont know that for sure.


>>dont know what forward and reverse zones are either.
>
>
> See the HOWTO. 'forward' means name to IP, reverse means IP to name. You
> need to have both pieces of information.
>

i do know what forward and reverse dns lookups are. I do not know what
a forward or reverse 'zone' is.

>
>>you sayin I should run a dns daemon?
>
>
> Depends on what your systems are being used for. For your local LAN, it
> usually means that you need ALL hostnames/addresses in /etc/hosts. IF you
> have more than "a handful", it may be desirable to run your own DNS server
> that is authoritative for your LAN, and either knows how to do recursion,
> or forwards requests to a DNS server that does. Remember that a client
> believes the FIRST answer it gets, EVEN IF THE ANSWER IS "I DON'T KNOW",
> so any DNS server you use must be able to answer ALL queries. There is
> no "ask someone else" response in DNS. You mention using RH9 - look for
>
> 1854107 Feb 24 2003 bind-9.2.1-16.i386.rpm
> 1607734 Feb 24 2003 bind-utils-9.2.1-16.i386.rpm
> 7361 Feb 24 2003 caching-nameserver-7.2-7.noarch.rpm
>
> on your distribution CDs.
>
> Old guy


Didnt know that. using the hosts file now, but that only serves a
single computer. the rest of my computers are windows. i could edit
their 'hosts' file too, but i should probably try to use a single
location for naming consistency. Perhaps ill read that howto and give
myself some names, locally.



--
Respectfully,


CL Gilbert

CL (dnoyeB) Gilbert wrote:
> Moe Trin wrote:
>
>>>> Set up your own DNS with your ISP's DNS as forwarder.
>>>> Create both a forward and reverse zone for your lan.
>>>
>
>
>
> Didnt know that. using the hosts file now, but that only serves a
> single computer. the rest of my computers are windows. i could edit
> their 'hosts' file too, but i should probably try to use a single
> location for naming consistency. Perhaps ill read that howto and give
> myself some names, locally.
>

For a simple network, dnsmasq is light-years simpler
to set up and maintain than any of the Bind family.

It will serve names from the host's /etc/hosts file and
from the ISP's DNS set up by the DHCP client.

--

Tauno Voipio
tauno voipio (at) iki fi

In the Usenet newsgroup comp.os.linux.networking, in article
<CYmdncgYb4aMTmLfRVn-(E-Mail Removed)>, CL (dnoyeB) Gilbert wrote:

>Moe Trin wrote:

>I dont run comcast...

I'm not to sure if anyone wants to admit to being in charge ;-)

>> Depending on your distribution, your DHCP client is probably already
>> grabbing the DNS address from your ISP's DHCP server.
>
>yes, thats why i mentioned it. occasionally the dns servers have
>changed. It may be that they have several and they just rotate who gets
>the address to which when they change your IP address. In that case it
>wouldn't matter, but I dont know that for sure.

Comcast has a huge amount of IP space, spread over a number of blocks.
Last I looked, it was the equivalent of 1 and a half "Class A" networks
(about 23.5 million addresses) from 24.0.0.0 thru 216.216.86.0. If you
were to do a recursive DNS query, you'll wind up at a handful of name
server addresses. These virtually never change. If you look at the name
servers used internally by Comcast customers - there is likewise a large
number, spread over many address ranges. This is for two reasons - mainly
speed and load balancing. It's desirable to have the "local" name server
within a few hops (miles is never a factor - it's how many routers you
have to pass through). Likewise, you want to try to have everyone hitting
the same name server - can you imagine if one tenth of one percent of
comcast customers all hit the same name server at the same time?

>>> dont know what forward and reverse zones are either.

>> See the HOWTO. 'forward' means name to IP, reverse means IP to name.

>i do know what forward and reverse dns lookups are. I do not know what
>a forward or reverse 'zone' is.

If you haven't had time to read the HOWTO yet - a DNS zone is a group of
related addresses, such as 1.168.192.in-addr.arpa, (all of the addresses
from 192.168.1.x). Another zone would be example.com, which includes all
hosts from aardvark.example.com through zulu.example.com.

>Didnt know that. using the hosts file now, but that only serves a
>single computer. the rest of my computers are windows. i could edit
>their 'hosts' file too, but i should probably try to use a single
>location for naming consistency. Perhaps ill read that howto and give
>myself some names, locally.

Assuming you have your local LAN is using a RFC1918 address range such as
192.168.1.x, it often helps to run your own name server locally, and point
your windoze boxes at this server - so that they are not constantly
bothering the ISPs name server. You make it authoratative for your LAN
(both forward and reverse), and either have it do normal recursion to
ascertain the names of the rest of the world, or you make it a forwarder,
and have it forward 'questions' it can't answer to the ISPs name server.
The 'bind' package is the name server, and that 'caching-nameserver' will
do most of the work of setting up your name server as a forwarder. Works
pretty well, but you may run into problems if your LAN is running DHCP
without 'reserved' addresses. As DHCP hands out random addresses within
the range to who ever asks for one, you have no idea who is who. That's
why I used fixed or static addresses. How does windoze do it? Well, they
use the windoze version of name service, where the individual host announces
it's name - and there is no checking of names, so security isn't.

Old guy