Maintained by: NLnet Labs

[Unbound-users] multicast address alerts in logs

Alexander Clouter
Sat Mar 26 10:38:26 CET 2011


* Michael Watters <wattersmt at gmail.com> [2011-03-25 17:38:27-0400]:
>
> > Leave tcpdump running on a resolver and wait for the misconfigured
> > offender to appear.  Use one of the following:
> > ----
> > tcpdump -i bond0 -n -p port 53 -s 0 -w /tmp/dump.pcap
> > tcpdump -i bond0 -n -p port 53 -s 0 -w - -U | tee /tmp/dump.pcap | tcpdump -r - -n
> > ----
> >
> > Good hunting :)
>
> This may be problematic on DNS nodes that are handling thousands of 
> queries per second.
>
I doubt it, what matters is the amount of data going through and if your 
harddisk can keep up with the pace, I doubt you are pushing 30MB/s :)

As it's high-throughput I recommend you go with the first command (the 
second one will chock your computer/terminal).

> Is there a way to make unbound log what lookups are causing these 
> messages?
>
Patch the source I imagine, you might be able to do something with the 
python bindings though.

Cheers

-- 
Alexander Clouter
.sigmonster says: Every time I think I know where it's at, they move it.