50

I've got MySQL Master/Slave setup and I've noticed the following warnings in the mysql log files on both servers:

[Warning] IP address 'xxx.xxx.xxx.xxx' could not be resolved: Name or service not known

I've checked and the DNS lookups works fine and most of these IPs are from China.

I planning to limit access on port 3306 on the firewall however could you please help me to understand what they are trying to do. Are they just trying to connect to the MySQL server. Where I can look for some more details.

Thanks

4 Answers 4

63

When you create a MySQL user [email protected] MySQL has to do a reverse lookup on every IP address connecting to it to determine whether they are part of example.com.

Of course, there's no restriction on creating reverse lookups, so I can quite happily ask my provider to set the reverse lookup for my IP address to be google.com if I want... or example.com if I happen to know that's what the users in your database have. This won't let me in, as MySQL then does a forward lookup on the returned domain to make sure it matches the same IP address that's connecting.

You can switch this off with skip_name_resolve in your my.cnf. There are many good reasons for doing this.

The reason you are getting this error is that the IP address in question has no reverse lookup at all.

You also have malicious attackers from China trying to brute force their way into your database. That should be your top priority.

4
  • 1
    can there can be any problem for localhost?
    – Malay M
    May 22, 2017 at 10:17
  • I don't think there's a security hole there because if a reverse lookup for some IP address resolved to localhost, MySQL will still do the forward lookup on localhost to make sure it matches the original IP address. However, as with all things security related, don't just trust me on this. And it's still better to turn off name resolving in your config.
    – Ladadadada
    May 31, 2017 at 16:14
  • @Ladadadada am I right to understand that with skip_name_resolve = on I would need to change all my localhost users to 127.0.0.1? It looks like MariaDB driver is smart enough to allow localhost users to be honored: All host values in the GRANT tables must be IP addresses (or localhost)
    – MeSo2
    Dec 11, 2021 at 18:44
  • I don't know. I haven't found that to work in the past but I haven't ever tried it with MariaDB. The easiest thing might be to just try it and see if it works.
    – Ladadadada
    Dec 14, 2021 at 14:16
15

I think it's a very very bad Idea to expose your database servers directly on the internet.

If you are replicating to a remote host and need internet access to achieve that, I suggest you setup a VPN between the two networks and bind your MySQL servers to listen only to the local network.

If both of your hosts are on the same local network, you will be safe to bind your mysql servers to that network.

3

Just got caught by this as well on Amazon RDS. I only wanted to connect to my test database instance (following is definitely not recommended for production databases):

The security groups in Amazon RDS works bit differently than the normal firewall rules for the EC2 instances. If you open MySQL port for the specific IP the IP must be recognized by your MySQL server. If not the connection is refused. The temporary solution is to create new security group i.e. anyone_can_connect_to_mysql with just a single item - allow inbound connection MySQL/Aurora anywhere from the internet and attach this security group to your database.

Inbound
-----------------------------------------
| MYSQL/Aurora | TCP | 3306 | 0.0.0.0/0 |
-----------------------------------------

This removes the IP check from client connections so you're free to connect. Don't forget to detach the anyone_can_connect_to_mysql policy from the database once the resolution problems are over.

0
2

When connecting to Mysql remotely, I got an error. I had this warning in /var/log/mysqld.log:

[Warning] IP address 'X.X.X.X' could not be resolved: Temporary failure in name resolution

I just added this line to /etc/hosts file:

X.X.X.X some_name

Problem solved! without using skip-name-resolve, it caused some errors in my local app, when connecting to mysql.

2
  • Over a year ago, but did you have to restart mysql? This didn't work for me.
    – Ejoso
    Jun 6, 2017 at 19:15
  • You wouldn't since the hosts file is managed on the client not mysql server.
    – leeman24
    Nov 4, 2019 at 22:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .