This isn't a request for help so much as a story for anyone else who's seeing similar things:
Okay, I have logwatch set up on my cobalt raq3. Logwatch is cool. It emails you everything in the logfiles, you define great regular expressions as to what's harmless noise, and keep going till it's only the critical stuff that you get. I just got a mail FULL of the following: client 123.17.150.226 query (cache) 'mail.peregrinehw.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ASPMX2.GOOGLEMAIL.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ASPMX3.GOOGLEMAIL.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ASPMX4.GOOGLEMAIL.com/A/IN' denied: 1 Time(s) client 123.18.118.42 query (cache) 'ASPMX5.GOOGLEMAIL.com/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.213.68 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.59.189 query (cache) 'mail.peregrinehw.com/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) client 123.19.99.134 query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied: 1 Time(s) So after I dig around for a bit (no pun intended), I realize. What I'm looking at is a whole bunch of terribly broken DNS implementations. DNS implementations that bypass a host's DNS entry, and directly query ME instead of looking something up directly. All the domains above are A records (address records) that are pointed to by MX (mail exchanger) records. I host sites that use those MXes, but I don't host (obviously) googlemail.com. Okay, so I know why this is happening. It's mostly harmless. My options: 1) Tune logwatch so I don't get these. 2) Tune BIND so it doesn't log these hits. 3) Use this information to feed a real-time blacklist -- it's fairly easy to write the parser but from the looks of it, most of these IPs are already on RBL's I use (spamhaus PBL, CBL). 4) Find a way (as recursive as this sounds) to block queries to my DNS server, based on this blacklist. I don't think BIND supports such a feature. Any comments? -Dan
