[cobalt-security] Lame Server messages

["Troy Arnold" <cobalt@xxxxxxxxxxxxxx>]

>Sorry to bother everyone about this again, but it's getting worse and I
>didn't get a response the last post.  The situation is this.  For a period
>of time each day, most recently for 75 minutes, my RaQ3 is asked to process
>bogus DNS requests for which it is not authoritative resulting in Lame
>Server, Unexpected response, NS Query etc. error messages

I am having or starting to have similar issues but believe it is related to
my securing my box from offending IP's. When we initially got our RAQ4i I
would get occasional 'lame server' errors from completely unaffiliated (and
quite odd) servers/domains. These were repeated on occasion and I assumed it
was because of a bad router table somewhere.

Lo and behold, as I began tightening the security and blocking certain
offending IP addresses and address blocks these errors in log check became
more numerous. Just yesterday I blocked a range of IP addresses from Europe
that were repeatedly attempting to use our server as a mail-relay point as
well as probing for anonymous ftp access. I then tracked down and lodged
complaints with the ISP's responsible for these offending ips.. I received
some immediate responses, but who knows?

Now, after blocking these certain IP address yesterday I have been inundated
with the following types of errors...
Aug 29 11:48:40 www named[1738]: Lame server on '61.84.51.194.in-addr.arpa'
(in '84.51.194.in-addr.arpa'?): [194.235.102.18].53 'galileo.global-one.es'
Aug 29 11:48:45 www named[1738]: Lame server on '61.84.51.194.in-addr.arpa'
(in '84.51.194.in-addr.arpa'?): [194.51.3.65].53 'proof.rain.fr'
Aug 28 15:10:20 www named[1738]: Lame server on 'usabee.bzam.com' (in
'bzam.com'?): [65.201.216.121].53 'GUGU.GOTOPEOPLE.com'

After a bunch of these types of messages (what is a bunch... 10-12 entries
such as these).  I get the following type of log report. This is just an
example as I am not sure how much this gives away (perhaps someone could
enlighten me on this too).

Aug 29 13:43:49 www named[XXXX]: Cleaned cache of 124 RRsets
Aug 29 13:43:49 www named[XXXX]: USAGE 999999999 999999999 CPU=17.58u/26.94s
CHILDCPU=0u/0s
Aug 29 13:43:49 www named[XXXX]: NSTATS 999999999 999999999 A=xxxxx CNAME=XX
SOA=XX PTR=XXXXX MX=XXXX TXT=XX AAAA=XX XX=X MAILB=X ANY=XXXX
Aug 29 13:43:49 www named[1738]: XSTATS 999XXXXX9 99XXXXXX9 RR=XXXX RNXD=XXX
RFwdR=XXXX RDupR=X RFail=XX RFErr=X RErr=X RAXFR=X RLame=295 ROpts=X
SSysQ=XXXX SAns=XXXXX SFwdQ=XXXX SDupQ=XXX SErr=0 RQ=XXXXX RIQ=XX RFwdQ=XXXX
RDupQ=XXX RTCP=XXX SFwdR=XXXX SFail=XSFErr=XSNaAns=XXXSNXD=XXXX RUQ=X RURQ=X
RUXFR=X RUUpd=Xetc..

These are repeated and repeated within similar log areas.

My question is (and sorry for my naivete, constantly learning and gleaning
information from this list)...

1) Have I created problems for legitimate users of our sites in Europe by
blocking these ips?
2) Am I creating these lame server issues by blocking the wrong ips?
3) Is this some type of CNAME exploit?
4) Can someone enlighten this idiot as to where to locate some good
definitions of what these LogCheck reports really mean?
5) And finally (just like T. Dwyer with Indian Hill Media) are there
security implications here I am unaware of?

Thanks as always. Also, thanks to the hardcore list contributors who make
this such a great resource.

Best regards,
Troy Arnold
websetters, inc.

----------------------------------------------------------------------------
CONFIDENTIALITY NOTICE:  The information contained in this electronic mail
is confidential information intended only for the use of the entity or
individual to whom it is addressed.  If the reader of this message is not
the intended recipient, you are hereby notified that any dissemination,
distribution, retransmission, or copying of this message is strictly
prohibited.  If you have received the message in error, please delete it
from your system, and notify me immediately by reply transmission.
Tel: 775 882 4831 | Fax: 775 882 1086 | webmaster@xxxxxxxxxxxxxx