PMC e-mail id: 4311
I think what you are seeing is the result of
logging by advanced resolver library routines in
libresolv+ (or such versions).
We often have something similar in my message files like:
Feb 11 04:52:13 sparc11 resolv[26804]: gethostbyaddr: spike.uniforum.org != 206.5.49.1, possible spoof attempt
Feb 11 04:52:13 sparc11 resolv[26804]: connect host=unknown/206.5.49.1
This is output by resolv+ library routines linked with sendmail
binary. What it boils down is that a given the hostname
(spike.uniforum.org), the library picked up a numeric IP address, but the hostname looked up by the
numeric address didn't match the original hostname, thus
there is a danger of DNS contamination by spoofers at worst, and
a simple DNS entry error at the problem site.
My /etc/host.conf looks like this.
You probably have to enable the nospoof switch to get this syslog
message.
#
# host.conf
# comments start with a '#' at the beginning of line
#
#
#order nis,hosts
# NIS taken out June 23, 1995
order hosts,bind
#
trim .personal-media.co.jp
multi off
nospoof on <===== Here. No spoof check.
alert on
reorder off
I am not sure how wise it is to turn off
this switch. In my crontab daily jobs, I pick up such messages
and already make a list of known sites that have bogus DNS entries so
that I can visually check if the messages are from the known
problematic sites, or new ones.
--
Chiaki Ishikawa ishikawa @
personal-media .
co .
jp
Personal Media Corp.
Shinagawa, Tokyo, Japan 142
|
|
