[WBEL-users] /var/log/messages - Interesting Entry

[Kirby Bohling]

On Wed, Aug 18, 2004 at 09:24:39AM -0400, Jeff Maze wrote:
> Hello,
> 	I was reviewing our secondary mail server logs and found this entry.
> Was curious about what this may be.  Anyone had an idea?
> 
> Aug 17 15:43:59 secmail sendmail[26633]: gethostby*.getanswer: asked for
> "wap.pangia.biz", got "smtp.pangia.biz"
> Aug 17 15:43:59 secmail last message repeated 2 times

I'd crack out tethereal and have it break down the packets, but it
sure sounds like someone has a DNS issue.  You asked for the name of
"wap.pangia.biz", and they sent you a response that had
"smtp.pangia.biz" in the result.  Any chance you can make that
happen at will?

I'm not seeing anything too silly here when I do the nslookups.
About the only thing I found in google is that, it isn't an error
coming out of sendmail, it's an error from the resolver library in
glibc (more then likely).

I cracked out the source code, the "gethostby*.getanswer:" of the
form you have appears in two different files.  If you unpack glibc,
look in "resolv/gethnamaddr.c".  You asked for a PTR DNS query for
a specific name (wap.pangia.biz), and the response tells you the
"PTR for smtp.pangia.biz is this".  Thus the remote DNS server
answered the wrong question.  

It's also in "resolv/nss_dns/dns-host.c", but that appears to have
the same analysis, but it's just the threadsafe version of the
source.

I'm not sure if that means there's a security problem, or if someone
is just running a faulty DNS.  Heck, it might just be an out of
order packet arrival if you query for DNS over UDP.  However, that's
the source if you really want to know the answer.  I don't have time
right now to figure out more then this.

	Kirby

> 
> 
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>