> > Can anyone help figuring out what's wrong (or may be right) > The packets are TCP (protocol 6) with a source port of 46069 and a > destination port of 53. This is pretty wierd. Port 53 is > for DNS, but > typically DNS queries only use UDP. TCP packets to/from port > 53 *ARE* used > to do zone transfers, and occasionally to transfer Fun is I have a DNS server but I have disallowed zone transfers. Its an internal caching DNS (W2K)
TCP is used for normal queries, as well as zone transfers. > particularly large DNS > queries/responses. The high source port number of 46069 > would lead me to > believe the remote end initiated the connection. Why should this happend?? Any threat?? It's part of how DNS works...to determine any threat, you'd have to look at the acutal contents of the packet and see if it's a normal query, an attempted buffer overflow, an attempted zone transfer, etc... > If you're not running a DNS server, I'd say the traffic is > some sort of scan > or probe, and should be denied. If you're actually running a > DNS server, I DO (see above) but I (mis?)understand that if zone transfers are not allowed (nor wanted) why will someone try to do a transfer to my system??? Looking for bind?? TCP is used for more than just zone reqests...again, if you really want to know exactly what these packets are, you'll have to dump them and examine the contents. It's not as simple as "if I'm not doing zone transfers, all inbound TCP packets to port 53 are malicious". > this traffic isn't so unusual...you should look into > references on packet > filtering and securing your DNS server...if you simply drop > inbound TCP > queries, you can cause delays in name resolution for your > domains, but fully > securing DNS is beyond the scope of this e-mail, and your > original question. Where and how?? Some pointers (links may be?) There are lots of resources for securing bind available online. A quick google search will turn up lots of howtos. As for understanding DNS, and how/why TCP packets are used for resolver queries, see any book or online info on DNS in general...the DNS RFC's (and the source-code of your name-server) are, of course, the ultimate source of information, but for a practical discussion of packet-filtering aspects of DNS, you probably can't go wrong with O'Reilly's "Building Internet Firewalls". Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
