Thanks Jim. I'd never ever seen anything happen to named, on BSD or Linux before. As for logs, what level of logging is "stock" is what I would expect doing a dump. May give that a shot and see what, if anything is in there. Not really been plagued by hackers too much, but I notice I've been probed several days in a row now from something/body in the same /16 ip block. Don't think it's local to the colocation site tho.
For what it's worth, I've included my named logging information below. Normally I don't set to debug, but when I need to troubleshoot it helps. I've included that here. Might help you to track things down if you care, or give other people some information for something they haven't asked.
In /etc/syslog.conf #line altered to eliminate named cruft in default logging *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages
# line added for syslog logging of named local6.* /var/log/named.log
In /etc/named.conf
logging { channel "default_syslog" { syslog local6; severity debug; };
category default { default_syslog; }; category general { default_syslog; }; category config { default_syslog; }; category security { default_syslog; }; category resolver { default_syslog; }; category xfer-in { default_syslog; }; category xfer-out { default_syslog; }; category notify { default_syslog; }; category client { default_syslog; }; category network { default_syslog; }; category update { default_syslog; }; category queries { default_syslog; }; category lame-servers { default_syslog; }; };
In /etc/logrotate.d/named
/var/log/named.log { missingok create 0644 named named postrotate /sbin/service named reload 2> /dev/null > /dev/null || true endscript }
Hope it's marginally useful to someone out there.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center