Find the answer to your Linux question:
Results 1 to 10 of 10
Hi all. Why would our web server request an a record to hotmail.com on startup? We don't use hotmail. I am still learning linux so what I think I need ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2006
    Posts
    7

    A records in boot process.


    Hi all. Why would our web server request an a record to hotmail.com on startup? We don't use hotmail.
    I am still learning linux so what I think I need to know is where in the os could an a request be made to our dns server for that domain? I incld. dns records of fresh install on one server and what ubuntu does at boot time as far as connecting with ubuntulinux.org ... plus hotmail request from the other ubuntu server-box.


    "Fresh Install Box"
    13:26:18 Request from 192.168.2.49 for AAAA-record for ntp.ubuntulinux.org.
    13:26:18 Sending reply to 192.168.2.49 about AAAA-record for ntp.ubuntulinux.org.:
    13:26:18 -> Answer: No AAAA-Records available for ntp.ubuntulinux.org.
    13:26:18 -> Authority: SOA-record for ubuntulinux.org. = esperanza.ubuntu.com. [2006050301]
    13:26:18 Request from 192.168.2.49 for AAAA-record for ntp.ubuntulinux.org.benoc.net.
    13:26:18 Sending reply to 192.168.2.49 about AAAA-record for ntp.ubuntulinux.org.benoc.net.:
    13:26:18 -> Header: Name does not exist.
    13:26:18 -> Authority: SOA-record for benoc.net. = ns1.benoc.net. [2006041601]
    13:26:18 -> Additional: A-record for ns1.benoc.net. = 65.82.253.50
    13:26:18 Request from 192.168.2.49 for A-record for ntp.ubuntulinux.org.
    13:26:18 Sending reply to 192.168.2.49 about A-record for ntp.ubuntulinux.org.:
    13:26:18 -> Answer: A-record for ntp.ubuntulinux.org. = 82.211.81.145
    END
    __________________________________________________ _______________

    "Bad Box"
    13:30:47 Request from 192.168.2.201 for AAAA-record for ntp.ubuntulinux.org.
    13:30:47 Sending reply to 192.168.2.201 about AAAA-record for ntp.ubuntulinux.org.:
    13:30:47 -> Answer: No AAAA-Records available for ntp.ubuntulinux.org.
    13:30:47 -> Authority: SOA-record for ubuntulinux.org. = esperanza.ubuntu.com. [2006050301]
    13:30:47 Request from 192.168.2.201 for AAAA-record for ntp.ubuntulinux.org.benoc.net.
    13:30:47 Sending reply to 192.168.2.201 about AAAA-record for ntp.ubuntulinux.org.benoc.net.:
    13:30:47 -> Header: Name does not exist.
    13:30:47 -> Authority: SOA-record for benoc.net. = ns1.benoc.net. [2006041601]
    13:30:47 -> Additional: A-record for ns1.benoc.net. = 65.82.253.50
    13:30:47 Request from 192.168.2.201 for A-record for ntp.ubuntulinux.org.
    13:30:47 Sending request to 69.55.225.40 (ns1.blackcatnetworks.co.uk.) for A-record for ntp.ubuntulinux.org.
    13:30:47 Reply from 69.55.225.40 about A-record for ntp.ubuntulinux.org.:
    13:30:47 -> Answer: A-record for ntp.ubuntulinux.org. = 82.211.81.145
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns.ubuntu.com.
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns0.blackcatnetworks.co.uk.
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns1.blackcatnetworks.co.uk.
    13:30:47 -> Additional: A-record for ns.ubuntu.com. = 82.211.81.173
    13:30:47 -> Additional: A-record for ns0.blackcatnetworks.co.uk. = 193.201.200.34
    13:30:47 -> Additional: A-record for ns1.blackcatnetworks.co.uk. = 69.55.225.40
    13:30:47 Sending reply to 192.168.2.201 about A-record for ntp.ubuntulinux.org.:
    13:30:47 -> Answer: A-record for ntp.ubuntulinux.org. = 82.211.81.145
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns.ubuntu.com.
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns0.blackcatnetworks.co.uk.
    13:30:47 -> Authority: NS-record for ubuntulinux.org. = ns1.blackcatnetworks.co.uk.
    13:31:01 Request from 192.168.2.201 for A-record for hotmail.com.
    13:31:01 Sending reply to 192.168.2.201 about A-record for hotmail.com.:
    13:31:01 -> Answer: A-record for hotmail.com. = 64.4.33.7
    13:31:01 -> Answer: A-record for hotmail.com. = 64.4.32.7


    To futher complicate things I found this out later... I have firestarter on test web server with port 80 open everything ealse closed. While locking and un-locking the firewall on web server I noticed the live dns log on dns server showed an "a" record request for hotmail.com everytime I unlocked firestarter.

    I know I could do another install but on a production server I need to find out how this happened.

    Thanks for any help.

  2. #2
    Linux User Kojak's Avatar
    Join Date
    Apr 2006
    Posts
    421
    Maybe you should test your system security again. This link is a fast, easy and quite helpful penetration checker http://www.pcflank.com/test.htm . I have the distant feeling that your server might have been hacked. Firestarter is not the best firewall frontend for a server imho. Configure Iptables/Guarddog/shorewall properly. Firestarter is good enough for home use, but afaik, it is not good enough for server purposes.

    Check your system for some hidden stuff, like those nasty folders that are called e.g. "/tmp/..." (3 points!!). They can get overlooked quite easily but if a directory with three ... exists somewhere on the server, then your system has been definitely compromised and a complete backup procedure, cleaning and securing should be done. Well, the whole disaster recovery plan that you should have for your server.
    Windows free since 2002 | computing since 1984

  3. #3
    Just Joined!
    Join Date
    May 2006
    Posts
    7
    A big thanks. Security seems ok and no bad folders seem to be present on server. What I would like to know is where in the boot process and what file would make this request. Example, I know the ntp service request ip for time server to sync time. Thats in records. Process occures just after network card initializes. I can see dns log in real time. What I do know that this request is last or close to last in process. How would one trace the boot procedure? And, wouldn't a text search for hotmail.com in scripts work?

    Thanks again.

  4. #4
    Linux User Kojak's Avatar
    Join Date
    Apr 2006
    Posts
    421
    I will do some research, maybe I can come up with some useful answers why that hotmail ip constantly kicks in. For checking the booting, take a look at the /var/log/messages file. It will list everything in detail, second for second.

    PS: Check the dhclient script of your server. Maybe the problem is caused from there.
    Windows free since 2002 | computing since 1984

  5. #5
    Just Joined!
    Join Date
    May 2006
    Posts
    7
    I'm not asking the right questions. If I wanted to ask my dns server for a domain name and get an ip answer back, what programs would do this. Shouldn't it have the domain name in it? Also could this program be made to do some kind of keep alive. That might explain the firewall on-off behavior of dns records. Also, if this is a running process, program wouldn't it show up somewhere?

  6. #6
    Linux User Kojak's Avatar
    Join Date
    Apr 2006
    Posts
    421
    If it is a running process, sure. You can check with "top" your processes.

    The normal procedure for a smaller server should be that the DNS is stored in the /etc/resolv.conf from where the requests are transmitted through the dnsmasq application. You should also check the /etc/hosts file as an added ip address to the hosts file has direct consequences for the whole network, if I am not mistaken (=will be visible on the whole network and might create those connection requests).
    Windows free since 2002 | computing since 1984

  7. #7
    Just Joined!
    Join Date
    May 2006
    Posts
    7
    Hey Kojak, thanks for hanging in there with me. I checked /etc/resolv.conf file only dns server ip and server name there. Hosts files are good too. The /var/log/messages file didn't show much. I check workstation and other servers records nothing. I ps -ef to get process but nothing looks strange. I compared to box that doesn't request hotHell domain...

  8. #8
    Linux User Kojak's Avatar
    Join Date
    Apr 2006
    Posts
    421
    bump.

    Out of ideas atm. If I were you, I would ask the folks on the irc channels of the big server distros. #debian, #fedora (there are many RHCEs around there), #slackware and #gentoo. Maybe someone there has an idea. I will continue searching in documentation and the web for a possible answer to your problem.

    Don't give up.
    Windows free since 2002 | computing since 1984

  9. #9
    Just Joined!
    Join Date
    May 2006
    Posts
    7

    Talking Yea!

    YEA !!!! php script in cms causing part of the problem. Also a bot from msnbot on server plus external firewall rules set mths ago on paremiter firewall to kill some bots because of banwidth issue. Funny, you adjust one thing and have to do 20 to make it right.

    BTW, this was the most helpful forum. Thank you Kojak for everything.

  10. #10
    Linux User Kojak's Avatar
    Join Date
    Apr 2006
    Posts
    421
    Glad you found the "troublemaker". I did only what everyone else would have done, too. I know how frustrating things can be if they break. I had once a broken network and could not figure out why it refused to work suddenly, only to find out after roughly a week that a small broken cable was the reason why everything was dead.
    Windows free since 2002 | computing since 1984

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •