From 14d3ffc6dea8ae979f95b2bc4a86d0f0ed949055 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue, 24 Jul 2007 18:10:05 +0000
Subject: [PATCH] * Added a filter for named to catch refused/denied queries

---
 debian/changelog                       |   3 +-
 debian/jail.conf                       |  18 ++
 debian/patches/00_named_refused.dpatch | 280 +++++++++++++++++++++++++
 debian/patches/00list                  |   1 +
 4 files changed, 301 insertions(+), 1 deletion(-)
 create mode 100755 debian/patches/00_named_refused.dpatch

diff --git a/debian/changelog b/debian/changelog
index 0cd947b4..34247674 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-fail2ban (0.8.0-3~pre2) unstable; urgency=low
+fail2ban (0.8.0-3~pre3) unstable; urgency=low
 
   * Moved <HOST> expansion into regex.py (closes: #429263). Thanks James
     Andrewartha.
@@ -7,6 +7,7 @@ fail2ban (0.8.0-3~pre2) unstable; urgency=low
   * Added a filter pam_generic to catch any login errors.
   * Added iptables-allports.
   * Use /var/run to keep socket file (closes: #425746)
+  * Added a filter for named to catch refused/denied queries
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 19 Jun 2007 23:04:02 -0400
 
diff --git a/debian/jail.conf b/debian/jail.conf
index a040870b..90dfb624 100644
--- a/debian/jail.conf
+++ b/debian/jail.conf
@@ -214,3 +214,21 @@ enabled  = false
 port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = sasl
 logpath  = /var/log/mail.log
+
+
+# DNS Servers
+
+# Mention: by default logging is off with bind installation.
+# Need smth like
+# logging {
+#         channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 30m; severity dynamic; print-time yes; };
+# 		category lame-servers { lame-servers_file; };
+# }
+# in your named.conf to provide proper logging
+
+[named-refused]
+
+enabled  = false
+port	 = domain,953
+filter   = named-refused
+logpath  = /var/log/named/lame-servers.log
diff --git a/debian/patches/00_named_refused.dpatch b/debian/patches/00_named_refused.dpatch
new file mode 100755
index 00000000..008bb363
--- /dev/null
+++ b/debian/patches/00_named_refused.dpatch
@@ -0,0 +1,280 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 00_named_refused.dpatch by Yaroslav Halchenko <debian@onerussian.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf
+--- trunk~/config/filter.d/named-refused.conf	1969-12-31 19:00:00.000000000 -0500
++++ trunk/config/filter.d/named-refused.conf	2007-07-24 13:56:43.000000000 -0400
+@@ -0,0 +1,33 @@
++# Fail2Ban configuration file for named (bind9). Trying to generalize the
++#          structure which is general to capture general patterns in log
++#          lines to cover different configurations/distributions
++#
++# Author: Yaroslav Halchenko
++#
++# $Revision:  $
++#
++
++[Definition]
++
++# if you want to catch only login erros from specific daemons, use smth like
++#_named_rcodes=(?:REFUSED|SERVFAIL)
++# To catch all REFUSED queries only
++_named_rcodes=REFUSED
++_daemon=named
++
++#
++# Shortcuts for easier comprehension of the failregex
++__pid_re=(?:\[\d+\])
++__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
++__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
++#       hostname       daemon_id         spaces
++__line_prefix=\s\S+ %(__daemon_combs_re)s\s+
++
++# Option: failregex
++# Notes.: regex to match the password failures messages in the logfile.
++# Values: TEXT
++#
++failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
++		    %(__line_prefix)sclient <HOST>#\S+: query\s*\(cache\) '.*' denied$
++
++
+diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples
+--- trunk~/config/filter.d/named-refused.examples	1969-12-31 19:00:00.000000000 -0500
++++ trunk/config/filter.d/named-refused.examples	2007-07-24 13:57:18.000000000 -0400
+@@ -0,0 +1,232 @@
++Jul 24 12:28:45 raid5 named[3935]: client 148.160.29.6#33081: query(cache) 'wolfsmensch.de/NS/IN' denied
++Jul 24 12:31:56 raid5 named[3935]: client 148.160.29.6#33081: query(cache) 'innomate.de/NS/IN' denied
++Jul 15 18:42:00 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.5#53
++Jul 15 18:42:01 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.4#53
++Jul 15 18:42:02 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.199.54.11#53
++Jul 15 18:42:03 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.199.0.132#53
++Jul 16 05:20:50 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'er-solution.de/NS/IN': 216.199.54.11#53
++Jul 16 05:20:51 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'er-solution.de/NS/IN': 216.14.208.5#53
++Jul 16 05:20:51 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'er-solution.de/NS/IN': 216.199.0.132#53
++Jul 16 05:20:52 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'er-solution.de/NS/IN': 216.14.208.4#53
++Jul 16 07:28:27 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'weisberg.de/NS/IN': 216.14.208.5#53
++Jul 16 07:28:28 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'weisberg.de/NS/IN': 216.199.54.11#53
++Jul 16 07:28:28 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'weisberg.de/NS/IN': 216.14.208.4#53
++Jul 16 07:28:29 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'weisberg.de/NS/IN': 216.199.0.132#53
++Jul 16 09:03:03 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 216.14.208.4#53
++Jul 16 09:03:04 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 216.14.208.5#53
++Jul 16 09:03:05 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 216.199.54.11#53
++Jul 16 09:03:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 216.199.0.132#53
++Jul 16 09:03:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 217.69.160.18#53
++Jul 16 09:03:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'schwaebischhall-tourismus.de/A/IN': 217.69.161.92#53
++Jul 16 11:17:05 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'joyfleming.de/A/IN': 216.14.208.4#53
++Jul 16 11:17:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'joyfleming.de/A/IN': 216.199.0.132#53
++Jul 16 11:17:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'joyfleming.de/A/IN': 216.199.54.11#53
++Jul 16 19:04:04 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'linkbanner.de/A/IN': 216.14.208.5#53
++Jul 16 19:04:05 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'linkbanner.de/A/IN': 216.14.208.4#53
++Jul 16 19:04:05 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'linkbanner.de/A/IN': 216.199.54.11#53
++Jul 16 19:04:06 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'linkbanner.de/A/IN': 216.199.0.132#53
++Jul 17 00:21:34 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'it-prosystems.de/NS/IN': 216.14.208.4#53
++Jul 17 00:21:35 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'it-prosystems.de/NS/IN': 216.14.208.5#53
++Jul 17 00:21:35 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'it-prosystems.de/NS/IN': 216.199.54.11#53
++Jul 17 00:21:36 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'it-prosystems.de/NS/IN': 216.199.0.132#53
++Jul 17 01:46:04 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 216.199.54.11#53
++Jul 17 01:46:06 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 216.14.208.4#53
++Jul 17 01:46:07 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 216.14.208.5#53
++Jul 17 01:46:08 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 216.199.0.132#53
++Jul 17 01:46:09 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 193.158.124.144#53
++Jul 17 01:46:09 raid5 named[3866]: lame server resolving 'vallone.de' (in 'vallone.de'?): 62.156.146.242#53
++Jul 17 01:46:09 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'vallone.de/A/IN': 193.158.124.143#53
++Jul 17 01:49:41 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'a-s-l.de/A/IN': 192.76.144.17#53
++Jul 17 01:49:41 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'a-s-l.de/A/IN': 194.128.171.100#53
++Jul 17 01:49:57 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'ns1.a-s-l.de/AAAA/IN': 194.128.171.100#53
++Jul 17 01:49:57 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'ns1.a-s-l.de/AAAA/IN': 192.76.144.17#53
++Jul 17 02:30:49 raid5 syslog-ng[2594]: STATS: dropped 0
++Jul 17 03:30:50 raid5 syslog-ng[2594]: STATS: dropped 0
++Jul 17 04:30:50 raid5 syslog-ng[2594]: STATS: dropped 0
++Jul 17 05:15:51 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'metal-fuer-alle.de/NS/IN': 216.199.0.132#53
++Jul 17 05:15:52 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'metal-fuer-alle.de/NS/IN': 216.14.208.4#53
++Jul 17 05:15:53 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'metal-fuer-alle.de/NS/IN': 216.199.54.11#53
++Jul 17 05:15:54 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'metal-fuer-alle.de/NS/IN': 216.14.208.5#53
++Jul 17 05:15:54 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'metal-fuer-alle.de/NS/IN': 212.78.206.21#53
++Jul 17 05:15:55 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'metal-fuer-alle.de/NS/IN': 212.78.192.249#53
++Jul 17 05:15:55 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'metal-fuer-alle.de/NS/IN': 212.78.206.22#53
++Jul 17 11:18:37 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 216.199.0.132#53
++Jul 17 11:18:38 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 216.199.54.11#53
++Jul 17 11:18:38 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 216.14.208.4#53
++Jul 17 11:18:39 raid5 named[3866]: unexpected RCODE (SERVFAIL) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 216.14.208.5#53
++Jul 17 11:18:39 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 192.76.144.15#53
++Jul 17 11:18:39 raid5 named[3866]: unexpected RCODE (REFUSED) resolving 'stadtkrankenhaus-ruesselsheim.de/A/IN': 194.128.171.101#53
++Jul 17 11:44:32 raid5 named[3866]: shutting down: flushing changes
++Jul 17 11:44:32 raid5 named[3866]: stopping command channel on 127.0.0.1#953
++Jul 17 11:44:32 raid5 named[3866]: stopping command channel on ::1#953
++Jul 17 11:44:32 raid5 named[3866]: no longer listening on ::#53
++Jul 17 11:44:32 raid5 named[3866]: no longer listening on 127.0.0.1#53
++Jul 17 11:44:32 raid5 named[3866]: no longer listening on 70.46.31.227#53
++Jul 17 11:44:32 raid5 named[3866]: exiting
++Jul 17 11:46:22 raid5 named[3800]: starting BIND 9.3.2 -t /var/lib/named -u named
++Jul 17 11:46:22 raid5 named[3800]: found 1 CPU, using 1 worker thread
++Jul 17 11:46:22 raid5 named[3800]: loading configuration from '/etc/named.conf'
++Jul 17 11:46:22 raid5 named[3800]: listening on IPv6 interfaces, port 53
++Jul 17 11:46:22 raid5 named[3800]: listening on IPv4 interface lo, 127.0.0.1#53
++Jul 17 11:46:22 raid5 named[3800]: listening on IPv4 interface eth0, 70.46.31.227#53
++Jul 17 11:46:23 raid5 named[3800]: command channel listening on 127.0.0.1#953
++Jul 17 11:46:23 raid5 named[3800]: command channel listening on ::1#953
++Jul 17 11:46:23 raid5 named[3800]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
++Jul 17 11:46:23 raid5 named[3800]: zone ricreig.com/IN: loaded serial 2007071302
++Jul 17 11:46:23 raid5 named[3800]: zone localhost/IN: loaded serial 42
++Jul 17 11:46:23 raid5 named[3800]: running
++Jul 17 12:23:08 raid5 named[3842]: unexpected RCODE (SERVFAIL) resolving 'lea-nrw.de/A/IN': 216.199.0.132#53
++Jul 17 12:23:08 raid5 named[3842]: unexpected RCODE (SERVFAIL) resolving 'lea-nrw.de/A/IN': 216.14.208.5#53
++Jul 17 12:23:09 raid5 named[3842]: unexpected RCODE (SERVFAIL) resolving 'lea-nrw.de/A/IN': 216.14.208.4#53
++Jul 17 12:23:09 raid5 named[3842]: unexpected RCODE (SERVFAIL) resolving 'lea-nrw.de/A/IN': 216.199.54.11#53
++Jul 17 12:23:10 raid5 named[3842]: lame server resolving 'lea-nrw.de' (in 'lea-nrw.de'?): 213.203.238.202#53
++Jul 17 12:23:10 raid5 named[3842]: lame server resolving 'lea-nrw.de' (in 'lea-nrw.de'?): 83.220.144.3#53
++Jul 17 16:06:51 raid5 named[3770]: unexpected RCODE (SERVFAIL) resolving 'linuxbox.de/A/IN': 217.160.113.11#53
++Jul 17 16:06:52 raid5 named[3770]: unexpected RCODE (SERVFAIL) resolving 'linuxbox.de/A/IN': 62.116.129.129#53
++Jul 17 16:06:52 raid5 named[3770]: unexpected RCODE (SERVFAIL) resolving 'linuxbox.de/A/IN': 69.64.50.226#53
++Jul 17 16:06:52 raid5 named[3770]: unexpected RCODE (SERVFAIL) resolving 'linuxbox.de/A/IN': 62.116.163.100#53
++Jul 17 16:36:48 raid5 named[3770]: shutting down: flushing changes
++Jul 17 16:36:48 raid5 named[3770]: stopping command channel on 127.0.0.1#953
++Jul 17 16:36:48 raid5 named[3770]: stopping command channel on ::1#953
++Jul 17 16:36:48 raid5 named[3770]: no longer listening on ::#53
++Jul 17 16:36:48 raid5 named[3770]: no longer listening on 127.0.0.1#53
++Jul 17 16:36:48 raid5 named[3770]: no longer listening on 70.46.31.227#53
++Jul 17 16:36:48 raid5 named[3770]: exiting
++Jul 17 23:02:06 raid5 named[3861]: unexpected RCODE (SERVFAIL) resolving 'diesel-motor-tuning.de/A/IN': 216.199.54.11#53
++Jul 17 23:02:06 raid5 named[3861]: unexpected RCODE (SERVFAIL) resolving 'diesel-motor-tuning.de/A/IN': 216.199.0.132#53
++Jul 17 23:02:07 raid5 named[3861]: unexpected RCODE (SERVFAIL) resolving 'diesel-motor-tuning.de/A/IN': 216.14.208.4#53
++Jul 17 23:02:07 raid5 named[3861]: unexpected RCODE (SERVFAIL) resolving 'diesel-motor-tuning.de/A/IN': 216.14.208.5#53
++Jul 17 23:02:08 raid5 named[3861]: lame server resolving 'diesel-motor-tuning.de' (in 'diesel-motor-tuning.de'?): 85.214.0.246#53
++Jul 17 23:02:08 raid5 named[3861]: lame server resolving 'diesel-motor-tuning.de' (in 'diesel-motor-tuning.de'?): 81.169.146.16#53
++Jul 18 05:43:33 raid5 named[3861]: stopping command channel on 127.0.0.1#953
++Jul 18 05:43:33 raid5 named[3861]: stopping command channel on ::1#953
++Jul 18 05:43:33 raid5 named[3861]: no longer listening on ::#53
++Jul 18 05:43:33 raid5 named[3861]: no longer listening on 127.0.0.1#53
++Jul 18 05:43:33 raid5 named[3861]: no longer listening on 70.46.31.227#53
++Jul 18 05:43:33 raid5 named[3861]: exiting
++Jul 18 05:45:19 raid5 named[3891]: starting BIND 9.3.2 -t /var/lib/named -u named
++Jul 18 05:45:19 raid5 named[3891]: found 1 CPU, using 1 worker thread
++Jul 18 05:45:19 raid5 named[3891]: loading configuration from '/etc/named.conf'
++Jul 18 05:45:19 raid5 named[3891]: listening on IPv6 interfaces, port 53
++Jul 18 05:45:19 raid5 named[3891]: listening on IPv4 interface lo, 127.0.0.1#53
++Jul 18 05:45:19 raid5 named[3891]: listening on IPv4 interface eth0, 70.46.31.227#53
++Jul 18 14:04:01 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'b-kr.de/A/IN': 216.199.54.11#53
++Jul 18 14:04:02 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'b-kr.de/A/IN': 216.14.208.4#53
++Jul 18 14:04:02 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'b-kr.de/A/IN': 216.199.0.132#53
++Jul 18 14:04:03 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'b-kr.de/A/IN': 216.14.208.5#53
++Jul 18 14:04:03 raid5 named[3891]: lame server resolving 'b-kr.de' (in 'b-kr.de'?): 85.214.0.232#53
++Jul 18 14:04:03 raid5 named[3891]: lame server resolving 'b-kr.de' (in 'b-kr.de'?): 81.169.146.20#53
++Jul 18 20:11:55 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'kwok.de/A/IN': 216.199.54.11#53
++Jul 18 20:11:55 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'kwok.de/A/IN': 216.14.208.5#53
++Jul 18 20:11:56 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'kwok.de/A/IN': 216.199.0.132#53
++Jul 18 20:11:57 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'kwok.de/A/IN': 216.14.208.4#53
++Jul 18 20:11:57 raid5 named[3891]: lame server resolving 'kwok.de' (in 'kwok.de'?): 85.214.0.247#53
++Jul 18 20:11:57 raid5 named[3891]: lame server resolving 'kwok.de' (in 'kwok.de'?): 81.169.146.29#53
++Jul 18 20:50:35 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'www.nrlmry.navy.mil/A/IN': 216.14.208.4#53
++Jul 18 20:51:38 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'www.nrlmry.navy.mil/A/IN': 216.14.208.4#53
++Jul 18 23:26:31 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'golgotha.de/A/IN': 216.14.208.5#53
++Jul 18 23:26:33 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'golgotha.de/A/IN': 216.14.208.4#53
++Jul 18 23:26:33 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'golgotha.de/A/IN': 216.199.54.11#53
++Jul 18 23:26:34 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'golgotha.de/A/IN': 216.199.0.132#53
++Jul 18 23:26:34 raid5 named[3891]: unexpected RCODE (REFUSED) resolving 'golgotha.de/A/IN': 217.195.32.108#53
++Jul 18 23:26:35 raid5 named[3891]: unexpected RCODE (REFUSED) resolving 'golgotha.de/A/IN': 81.3.2.142#53
++Jul 19 00:44:46 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 216.14.208.4#53
++Jul 19 00:44:47 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 216.199.0.132#53
++Jul 19 00:44:48 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 216.14.208.5#53
++Jul 19 00:44:51 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 216.199.54.11#53
++Jul 19 00:44:52 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 212.112.227.247#53
++Jul 19 00:44:52 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'dr-levien.de/NS/IN': 212.124.35.10#53
++Jul 19 00:59:02 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'requena.de/A/IN': 216.14.208.4#53
++Jul 19 00:59:03 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'requena.de/A/IN': 216.14.208.5#53
++Jul 19 00:59:03 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'requena.de/A/IN': 216.199.54.11#53
++Jul 19 00:59:04 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'requena.de/A/IN': 216.199.0.132#53
++Jul 19 00:59:05 raid5 named[3891]: lame server resolving 'requena.de' (in 'requena.de'?): 87.106.31.55#53
++Jul 19 02:32:35 raid5 mountd[3982]: authenticated unmount request from 70.46.31.226:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70.46.31.226:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:734 for /usr/share (/usr/share)
++Jul 19 02:32:58 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 02:32:59 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 02:32:59 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 02:32:59 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 02:32:59 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 02:32:59 raid5 mountd[3982]: authenticated unmount request from 70-46-31-226.orl.fdn.com:735 for /multimedia (/multimedia)
++Jul 19 03:40:14 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'scully.de/NS/IN': 216.199.54.11#53
++Jul 19 03:40:15 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'scully.de/NS/IN': 216.14.208.5#53
++Jul 19 03:40:16 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'scully.de/NS/IN': 216.199.0.132#53
++Jul 19 03:40:16 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'scully.de/NS/IN': 216.14.208.4#53
++Jul 19 03:40:16 raid5 named[3891]: lame server resolving 'scully.de' (in 'scully.de'?): 212.172.221.3#53
++Jul 19 03:40:17 raid5 named[3891]: lame server resolving 'scully.de' (in 'scully.de'?): 62.26.219.10#53
++Jul 19 05:37:37 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ladyluna.de/A/IN': 216.14.208.5#53
++Jul 19 05:37:37 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ladyluna.de/A/IN': 216.199.54.11#53
++Jul 19 05:37:37 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ladyluna.de/A/IN': 216.199.0.132#53
++Jul 19 05:37:39 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ladyluna.de/A/IN': 216.14.208.4#53
++Jul 19 05:37:39 raid5 named[3891]: lame server resolving 'ladyluna.de' (in 'ladyluna.de'?): 85.214.34.122#53
++Jul 19 05:37:39 raid5 named[3891]: lame server resolving 'ladyluna.de' (in 'ladyluna.de'?): 213.73.103.1#53
++Jul 19 07:10:07 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'theater-getuerkt.de/A/IN': 216.199.54.11#53
++Jul 19 07:10:09 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'theater-getuerkt.de/A/IN': 216.199.0.132#53
++Jul 19 07:10:10 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'theater-getuerkt.de/A/IN': 216.14.208.4#53
++Jul 19 07:10:12 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'theater-getuerkt.de/A/IN': 216.14.208.5#53
++Jul 19 08:27:29 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns1.softgroup.net/AAAA/IN': 216.199.0.132#53
++Jul 19 08:27:29 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns2.softgroup.net/AAAA/IN': 216.199.0.132#53
++Jul 19 08:27:29 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns1.softgroup.net/AAAA/IN': 216.14.208.5#53
++Jul 19 08:27:29 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns2.softgroup.net/AAAA/IN': 216.14.208.5#53
++Jul 19 08:27:30 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns1.softgroup.net/AAAA/IN': 216.199.54.11#53
++Jul 19 08:27:30 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns2.softgroup.net/AAAA/IN': 216.199.54.11#53
++Jul 19 08:27:30 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns1.softgroup.net/AAAA/IN': 216.14.208.4#53
++Jul 19 08:27:30 raid5 named[3891]: unexpected RCODE (SERVFAIL) resolving 'ns2.softgroup.net/AAAA/IN': 216.14.208.4#53
++Jul 19 08:27:30 raid5 named[3891]: FORMERR resolving 'ns1.softgroup.net/AAAA/IN': 64.14.244.254#53
++Jul 19 08:27:30 raid5 named[3891]: FORMERR resolving 'ns2.softgroup.net/AAAA/IN': 64.14.244.254#53
++Jul 19 08:27:30 raid5 named[3891]: FORMERR resolving 'ns1.softgroup.net/AAAA/IN': 64.34.46.254#53
++Jul 19 08:27:30 raid5 named[3891]: FORMERR resolving 'ns2.softgroup.net/AAAA/IN': 64.34.46.254#53
++Jul 21 05:30:45 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.5#53
++Jul 21 05:30:46 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.0.132#53
++Jul 21 05:30:47 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.54.11#53
++Jul 21 05:30:48 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.4#53
++Jul 21 05:30:48 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.22#53
++Jul 21 05:30:48 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.192.249#53
++Jul 21 05:30:48 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.21#53
++Jul 21 05:30:49 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.5#53
++Jul 21 05:30:50 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.54.11#53
++Jul 21 05:30:51 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.0.132#53
++Jul 21 05:30:52 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.4#53
++Jul 21 05:30:52 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.22#53
++Jul 21 05:30:52 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.21#53
++Jul 21 05:30:52 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.192.249#53
++Jul 21 05:30:53 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.5#53
++Jul 21 05:30:53 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.4#53
++Jul 21 05:30:54 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.54.11#53
++Jul 21 05:30:55 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.0.132#53
++Jul 21 05:30:55 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.22#53
++Jul 21 05:30:55 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.21#53
++Jul 21 05:30:56 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.192.249#53
++Jul 21 05:30:56 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.4#53
++Jul 21 05:30:57 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.14.208.5#53
++Jul 21 05:30:58 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.54.11#53
++Jul 21 05:30:59 raid5 named[11450]: unexpected RCODE (SERVFAIL) resolving 'losmac.de/NS/IN': 216.199.0.132#53
++Jul 21 05:30:59 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.22#53
++Jul 21 05:30:59 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.206.21#53
++Jul 21 05:30:59 raid5 named[11450]: unexpected RCODE (REFUSED) resolving 'losmac.de/NS/IN': 212.78.192.249#53
++
++
++
++
++
++However, anything in MY network 70.46.31.22? should be ignored (of course it wont be refused or have  RCODE etc either)
++
++Jul 20 20:01:05 raid5 named[10909]: client 70.46.31.227#1137: query: pop.gmail.com IN AAAA +
++Jul 20 20:01:05 raid5 named[10909]: client 70.46.31.227#1137: query: pop.gmail.com IN A +
++Jul 20 20:01:16 raid5 named[10909]: client 70.46.31.227#1137: query: www.ricreig.com IN AAAA +
++Jul 20 20:01:16 raid5 named[10909]: client 70.46.31.227#1137: query: www.ricreig.com.ricreig.com IN AAAA +
++Jul 20 20:01:16 raid5 named[10909]: client 70.46.31.227#1137: query: www.ricreig.com IN A +
++Jul 20 20:03:25 raid5 named[10909]: client 148.160.29.6#33079: query: kwg-store.de IN NS +
++Jul 20 20:03:28 raid5 named[10909]: client 148.160.29.10#34769: query: adv-ag.de IN A +
++Jul 20 20:03:31 raid5 named[10909]: client 70.46.31.227#1137: query: mail.ricreig.com IN AAAA +
++Jul 20 20:03:31 raid5 named[10909]: client 70.46.31.227#1137: query: mail.ricreig.com.ricreig.com IN AAAA +
++Jul 20 20:03:31 raid5 named[10909]: client 70.46.31.227#1137: query: mail.ricreig.com IN AAAA +
++Jul 20 20:03:31 raid5 named[10909]: client 70.46.31.227#1137: query: mail.ricreig.com.ricreig.com IN AAAA +
++Jul 20 20:03:32 raid5 named[10909]: client 70.46.31.227#1137: query: pop3.fdn.com IN A +
++Jul 20 20:03:32 raid5 named[10909]: client 70.46.31.227#1138: query: pop3.fdn.com IN AAAA +
diff --git a/debian/patches/00list b/debian/patches/00list
index 34d2afd8..0ca33aca 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -5,3 +5,4 @@
 10_dbts_manpages
 00_iptables_allports
 00_pam_generic
+00_named_refused