Network Unreachable Error

Support for security such as Firewalls and securing linux
Post Reply
saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Network Unreachable Error

Post by saeed » 2014/10/23 12:21:22

Hi

Today I noticed that I have some lines in my log files in /var/log/messages as follows:

Code: Select all

Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:48::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::19#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:2f::f#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:2f::f#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:1::803f:235#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:1::803f:235#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:503:c27::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:503:c27::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:1a::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::20#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:60::29#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns1.isc.ultradns.net/A/IN': 2001:7fd::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns1.isc.ultradns.net/AAAA/IN': 2001:7fd::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'ns2.isc.ultradns.net/A/IN': 2610:a1:1014::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/A/IN': 2001:500:e::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:500:e::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/A/IN': 2001:500:40::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:500:40::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:502:4612::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.info/AAAA/IN': 2610:a1:1016::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.info/A/IN': 2610:a1:1016::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.co.uk/AAAA/IN': 2610:a1:1017::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.biz/A/IN': 2610:a1:1015::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.com/AAAA/IN': 2001:502:f3ff::e8#53
Oct 23 11:39:04 server named[1585]: client 93.113.174.225#46368: query (cache) 'adobe.com/A/IN' denied
Oct 23 11:39:04 server named[1585]: client 93.113.174.225#23736: query (cache) 'adobe.com/A/IN' denied
Oct 23 11:39:04 server lfd[1196]: SYSLOG check [Lga6AZUNsgZGaVQX]
I take that my server tries to resolve such addresses as pdns196.ultradns.org, etc. Now my question is why my server tries to reach the above IPV6 addresses, especially adobe.com? It is strange since I do not have any services related to the above. Do I have to be worried if my server is compromised? What's more, yesterday there was a heavy load on my server, in such a way that DirectAdmin Panel had 65 or so alerts about excessive use of system resources. And so far I have not been able to pinpoint the culprit.

Please help!
Saeed
Top
User avatar
TrevorH
Site Admin
Posts: 33216
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Network Unreachable Error

Post by TrevorH » 2014/10/23 12:55:15

Looks to me like you have 2 separate issues: first your server is complaining a lot about being unable to contact things over ipv6 so do you have ipv6 enabled and do you have a valid ipv6 address on an interface that can reach those addresses?

The second and slightly more worrying issue is: is 93.113.174.225 an IP address that belongs to you? If it is not then your DNS server appears to be exposed to the internet and probably shouldn't be unless you are using it as an authoritative server for a DNS zone that belongs to you.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Top
saeed
Posts: 20
Joined: 2014/05/30 14:50:33

Re: Network Unreachable Error

Post by saeed » 2014/10/23 14:35:37

TrevorH wrote:Looks to me like you have 2 separate issues: first your server is complaining a lot about being unable to contact things over ipv6 so do you have ipv6 enabled and do you have a valid ipv6 address on an interface that can reach those addresses?

The second and slightly more worrying issue is: is 93.113.174.225 an IP address that belongs to you? If it is not then your DNS server appears to be exposed to the internet and probably shouldn't be unless you are using it as an authoritative server for a DNS zone that belongs to you.

Hi. Thanks for responding. As for the first issue, as you have put it, yes I have disabled ipv6 through the following tutorial:

http://wiki.centos.org/FAQ/CentOS6#head ... 10d41781df

And for for the second part, no the Ip does not belong to me. But could you explain what you meant by "authoritative server for a DNS zone that belongs to you"? I own a VPS configured by DirectAdmin, so every thing including the DNS zone, etc were set up upon installing the panel.

Regards
Saeed
Top
rjlohman_opt
Posts: 8
Joined: 2016/04/13 18:09:36

Re: Network Unreachable Error

Post by rjlohman_opt » 2016/05/10 02:37:18

Just a note about this...

I tried adding OTIONS="-4" to /etc/sysconfig/named, commenting out the 'listen-on-v6' line in /etc/named.conf, and changing that line from
listen-on-v6 port 53 { ::1; };
to
listen-on-v6 port 53 { none; };

But nothing seemed to help. It turns out, 'service named reload' wasn't re-reading all configuration files. I had to do a full restart of named to get it to reread all of the configs. Minor point, but threw me for a loop. FWIW

RJL
Top
forumitu
Posts: 118
Joined: 2014/02/20 14:30:51

Re: Network Unreachable Error

Post by forumitu » 2016/05/10 07:35:16

The "OPTIONS=-4" line in /etc/sysconfig/named actually is an argument to named process. Reloading the named is just a notification to the currently running named daemon process to read again its configuration, and so it does not change its arguments. Because of that service restart is required after changing the OPTIONS in /etc/sysconfig/named.
Top
Post Reply

Return to “CentOS 6 - Security Support”