Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Help, Mac mini with OS X server 2.2.1, ML 10.8.4
I noticed my Internet connect was extremely slow so I started investigating. LAN is good, Internet speeds are horrible. Little snitch shows "usr/sbin/named" is trying to connect to hundreds of servers. WHAT THE HECK IS IT AND HOW DO I STOP IT?
Internet is useless if I allow these connections....
Mac mini Server (Mid 2011), OS X Server
Well, I moved all the usr/sbin/named folders to the trash and all is well. I don't see any impact on server or client operations.
Well, I moved all the usr/sbin/named folders to the trash and all is well. I don't see any impact on server or client operations.
You do need functional DNS on an OS X Server system, FWIW. To confirm local DNS is working, use the following harmless, diagnostic command:
sudo changeip -checkhostname
That'll tell you if DNS is correct and running and no changes are needed, or if there are configuration changes needed.
As a guess around what happened... If your server was running DNS, and if it was exposed to the Internet, then it was probably incorporated into a DNS DDoS. Blocking remote access to TCP and UDP 53 can avoid this.
Wouldn't closing port 53 eliminate dns? I would be interested in more info...
DNS is correct according to the terminal command.
My reply assumes that your servers are exposed to the Internet, and being used in a DDoS. A NAT firewall and any better-grade gateway, for instance, will block these attacks by default. (It is possible to explicitly allow TCP or UDP 53 traffic through most of these devices, however. It's also possible that infested systems located behind the firewall for DDoS, though that's less common.)
Please use Shields Up or another port scanner, and find out what ports you have open and visible to the 'net.
I do not know of a way to selectively disable DNS access to the ports on recent OS X Server versions using the standard tools, short of an external firewall; to allow local access, but block remote access. (There are ways to do this, but not GUI-based. Again, this assumes the DNS server is exposed to the 'net.)
Figuring out what happened usually involves viewing the DNS log files, to determine whether the DNS server is malfunctioning (or is possibly being attacked), and potentially also monitoring the network traffic.
Named is the standard DNS server software (also known as BIND). It is included with all copies of OS X but normally is only used on Servers.
At a guess it is doing lots of DNS lookups and it sound far more than would be normal even when acting on behalf of a large network of computers all making DNS requests. It therefore does sound like something on your network - not necessarily that machine itself is misbehaving and/or the result of malware.
Normally if DNS is turned off in Server.app then named (aka. BIND) will not be running, but it is possible malware has gone behind the scenes and turned it on.
It would be worth looking at all the launchd startup items on that computer and all the currently running processes and seeing if there are any obviously unwanted things running compared to what you presumably activated. You could also consider installing anti-virus software and doing a full scan of the computer.
usr/sbin/named trying to connect to hundreds of servers
