Re: Help, denied on port 1031

Fri, 30 Nov 2001 12:37:41 -0800 

On Friday, 2001/11/30 at 08:04 EST, "Boisvert, Mario" 
<[EMAIL PROTECTED]> wrote:
> I would like to know why a DNS server will try to connect to my DNS 
server
> on port 1031.
> 
> I've got the following denied at my Firewall.
> 
> %PIX-4-106023: Deny udp src outside:66.34.137.1/53 dst
> dmz1:206.47.245.10/1031 by access-group "acl_out"
> %PIX-4-106023: Deny udp src outside:66.34.137.1/53 dst
> dmz1:206.47.245.10/1031 by access-group "acl_out"
> %PIX-4-106023: Deny udp src outside:66.34.137.1/53 dst
> dmz1:206.47.245.10/1031 by access-group "acl_out"

It's more likely that this is a dns response, which is kind of a normal 
thing to be sent to your nameserver.

But there are several things fishy about it:

The fact the firewall is logging and denying it implies that there was no 
matching outbound request from your server to 66.34.137.1 (normally the 
Pix would temporarily enable the response udp packet after your machine 
sends a request).  Either the latter machine is generating unrequested dns 
responses to you (I would consider this an attack by them), or some third 
party is spoofing your server's address on dns requests (also a bad 
thing).

But what about the supposed nameserver 66.34.137.1?  Let's check:

>nslookup 66.34.137.1 
*** can't find 66.34.137.1: Non-existent domain

No reverse resolution for that address - unusual for a nameserver.

\>nslookup www.apple.com. 66.34.137.1
Name:    www.apple.com
Address:  66.34.137.1


>nslookup www.sgi.com. 66.34.137.1
Name:    www.sgi.com
Address:  66.34.137.1

So that nameserver appears to resolve all name queries to its own address! 
 Extremely suspicious.

Checking whois on the nameserver address:

Server used for this query: [ whois.arin.net ]

                        C I Host (NETBLK-CIHOST4)
   1851 Central Drive Suite 110
   Bedford, TX 76021
   US

   Netname: CIHOST4
   Netblock: 66.34.0.0 - 66.34.255.255
   Maintainer: CIHS

   Coordinator:
      Center, Network Operations  (NC61-ARIN)  [EMAIL PROTECTED]
      888-868-9931 (FAX) 888-242-7554

I think it would be worth contacting those folks.

Tony Rall
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to