[Unbound-users] multicast address alerts in logs
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Sat Mar 26 08:20:19 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Michael,
On 03/25/2011 10:38 PM, Michael Watters wrote:
>> Leave tcpdump running on a resolver and wait for the misconfigured
>> offender to appear. Use one of the following:
>> ----
>> tcpdump -i bond0 -n -p port 53 -s 0 -w /tmp/dump.pcap
>> tcpdump -i bond0 -n -p port 53 -s 0 -w - -U | tee /tmp/dump.pcap | tcpdump -r - -n
>> ----
>>
>> Good hunting :)
>>
>> Cheers
>>
>> --
>> Alexander Clouter
>> .sigmonster says: Future looks spotty. You will spill soup in late evening.
>
> This may be problematic on DNS nodes that are handling thousands of
> queries per second. Is there a way to make unbound log what lookups
> are causing these messages?
Attached a small patch that logs the UDP packet that it tried to send to
that (multicast) address. It logs for all UDP failures.
with echo <that hex> | drill -i - you can see what query was being
asked.
This patch has not been tested (but its tiny).
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk2NocMACgkQkDLqNwOhpPgHaQCdFATMP446E3HLyVxFE36cFC/f
KocAn2mxP+HNUoLEoT3/6jZmX64Otfw5
=EUYg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_log_failed_udp.diff
Type: text/x-patch
Size: 423 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20110326/4360b311/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_log_failed_udp.diff.sig
Type: application/pgp-signature
Size: 72 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20110326/4360b311/attachment-0001.bin>
More information about the Unbound-users
mailing list