Maintained by: NLnet Labs

[Unbound-users] multicast address alerts in logs

W.C.A. Wijngaards
Sat Mar 26 09:20:19 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

On 03/25/2011 10:38 PM, Michael Watters wrote:
>> Leave tcpdump running on a resolver and wait for the misconfigured
>> offender to appear.  Use one of the following:
>> ----
>> tcpdump -i bond0 -n -p port 53 -s 0 -w /tmp/dump.pcap
>> tcpdump -i bond0 -n -p port 53 -s 0 -w - -U | tee /tmp/dump.pcap | tcpdump -r - -n
>> ----
>>
>> Good hunting :)
>>
>> Cheers
>>
>> --
>> Alexander Clouter
>> .sigmonster says: Future looks spotty.  You will spill soup in late evening.
> 
> This may be problematic on DNS nodes that are handling thousands of
> queries per second.  Is there a way to make unbound log what lookups
> are causing these messages?

Attached a small patch that logs the UDP packet that it tried to send to
that (multicast) address.  It logs for all UDP failures.

with   echo <that hex> | drill -i -   you can see what query was being
asked.

This patch has not been tested (but its tiny).

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2NocMACgkQkDLqNwOhpPgHaQCdFATMP446E3HLyVxFE36cFC/f
KocAn2mxP+HNUoLEoT3/6jZmX64Otfw5
=EUYg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_log_failed_udp.diff
Type: text/x-patch
Size: 423 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110326/4360b311/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_log_failed_udp.diff.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110326/4360b311/attachment.pgp>