Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: John Crisp on January 14, 2003, 02:44:01 PM
-
Hi,
Been having a bit of trouble trying to track down the following problem on a patched V5.1.2 server
Everyday at the same time I get a trigger which brings up the dialup line. I am trying to see where it comes from to eliminate it, as the server then does a mail run which I don’t want to happen. I don’t get any other triggers after work – only this one at 4am.
Can anyone give me any pointers as to what the cause may be and how to resolve it. I don’t get any other triggers over night, just the one at the same time everyday.
Times are GMT.
Having looked in /home/dns/var/named/named.ca I can see that the IP’s are all root server IPs – so why is the server looking these up ?
Jan 14 04:02:03 wingate diald[4336]: Trigger: udp 192.168.42.1/1025 128.9.0.107/53
Jan 13 04:02:03 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Jan 12 04:02:03 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Jan 11 04:02:02 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Jan 10 04:02:03 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Jan 9 04:02:03 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 192.203.230.10/53
Jan 8 04:02:03 wingate diald[21737]: Trigger: udp 192.168.42.1/1025 128.9.0.107/53
Dec 21 04:02:03 wingate diald[916]: Trigger: udp 192.168.42.1/1025 193.0.14.129/53
Dec 18 04:02:03 wingate diald[2038]: Trigger: udp 192.168.42.1/1025 192.203.230.10/53
Dec 16 04:02:02 wingate diald[916]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Dec 15 04:02:03 wingate diald[916]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
A daytime one :
Dec 17 13:45:20 wingate diald[2038]: Trigger: udp 192.168.42.1/1025 128.8.10.90/53
Don’t understand this one – why are the IPs reversed ?
Dec 20 04:06:54 wingate diald[916]: Trigger: udp 128.8.10.90/53 192.168.42.1/1025
Any help or thoughts are appreciated.
B. Rgds
John
-
Also found the following in my logs. Any relation ?
Jan 8 08:59:11 wingate named[1560]: check_hints: A records for J.ROOT-SERVERS.NET class 1 do not match hint records
Jan 13 10:36:26 wingate named[1610]: hint zone "" (IN) loaded (serial 0)
Jan 13 10:36:38 wingate named[1610]: check_hints: A records for J.ROOT-SERVERS.NET class 1 do not match hint records
Jan 14 09:11:17 wingate named[1612]: hint zone "" (IN) loaded (serial 0)
Jan 14 09:11:25 wingate named[1612]: check_hints: A records for J.ROOT-SERVERS.NET class 1 do not match hint records
Jan 14 09:26:53 wingate identd[1879]: missing parameter in /etc/identd.masq: #------------------------------------------------------------
Jan 14 09:26:53 wingate identd[1879]: Returned: 61005 , 21 : NO-USER
B. Rgds
John
-
J.ROOT-SERVERS.NET changed address last september (or october).
No need to worry about that, or you could update the hints file.
I suggest that you enable query logging in named:
kill -WINCH
-
Hi Filippo,
Thanks for the reply.
Can you explain the kill -WINCH command ? I had a look online but couldn't see a reference to it. And how do you 'undo' the logging ?
I have manually updated the named.ca file with the new IP. I'll have a look in the morning and see what has happened.
B. Rgds
John
-
I don't know if it makes a difference or not, I have a Win2K box setup to automatically download updates from MS's site and my logs shows sometime after midnight this server connects to MS to check for updates.
Any MS PC that's configured to automatically download updates and is left on overnight will attempt to make this connection.
Just a thought....
-
Hmm.
Dave, thanks for your thoughts. At night I have one Windoze 98 PC running for faxing, but I don't think this is the culprit. I can down or disconnect it to tell for sure.
It seems that there is nothing much transmitted at the connection - a few bytes only - see below for last nights ones.
The date this started was around the beginning of December, although that be nothing to do with it.
One thing I have noted is that the IP that is being called seems mainly to be d.root-servers.net which is the 128.8.10.90 IP.
If I try to ping this IP I get nothing back, whereas I do from the other NS.
Hmm.
B. Rgds
John
Jan 15 04:02:03 wingate diald[916]: Trigger: udp 192.168.42.1/1025 192.36.148.17/53
Jan 15 04:02:41 wingate pppd[3257]: Connection terminated.
Jan 15 04:02:41 wingate pppd[3257]: Connect time 0.6 minutes.
Jan 15 04:02:41 wingate pppd[3257]: Sent 377 bytes, received 662 bytes.
Jan 15 04:03:11 wingate diald[916]: Trigger: udp 128.8.10.90/53 192.168.42.1/1025
Jan 15 04:03:47 wingate pppd[3306]: Connect time 0.6 minutes.
Jan 15 04:03:47 wingate pppd[3306]: Sent 315 bytes, received 527 bytes.
-
ID for your mystery IP responds with the name "d.root-servers.net" - registant appears to be Verisign/ Network Solutions see below for details.
Is ther a machine/program trying to update security certificates?
The location is listed as University of Maryland. That indicates its part of the original foundation of commercial Internet.
Hope this helps.
John Crisp wrote:
> If I try to ping this IP I get nothing back, whereas I do
> from the other NS.
Registrant:
VERISIGN GLOBAL REGISTRY SERVICES (ROOT-SERVERS-DOM)
21345 Ridgetop Circle
Dulles, VA 20166
US
Domain Name: ROOT-SERVERS.NET
Administrative Contact:
Internet Assigned Numbers Authority (IANA) iana@IANA.ORG
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
US
310-823-9358
Fax- 310-823-8649
Technical Contact:
VeriSign Global Registry Services (REGISTRY) rcc@verisign.com
VeriSign Global Registry Services
21345 Ridgetop Circle
Dulles, VA 20166
US
703-948-7064 fax: 703-421-6703
Record expires on 05-Jul-2005.
Record created on 04-Jul-1995.
Database last updated on 30-Jan-2003 08:40:32 EST.
Domain servers in listed order:
A.ROOT-SERVERS.NET 198.41.0.4
F.ROOT-SERVERS.NET 192.5.5.241
J.ROOT-SERVERS.NET 198.41.0.10