DNS Blocked packets (was RE: [Leaf-user] (no subject))
Thanks. Very clear and informative!! More comments inline I´m havin a lot of dnyed packets on port 53, like this one: Mar 14 13:46:13 tptrtr kernel: Packet log: input DENY eth0 PROTO=6 202.139.133.129:46069 200.45.110.178:53 L=44 S=0x00 I=0 F=0x T=237 (#65) The results of lising the rule are # ipchains -nvL --line-numbers 65 520 24564 DENY all l- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 n/a This is the catch all rule, which blocks any inbound traffic on the external interface that hasn't explicitly been allowed. Perfect!!! Can anyone help figuring out what's wrong (or may be right) The packets are TCP (protocol 6) with a source port of 46069 and a destination port of 53. This is pretty wierd. Port 53 is for DNS, but typically DNS queries only use UDP. TCP packets to/from port 53 *ARE* used to do zone transfers, and occasionally to transfer Fun is I have a DNS server but I have disallowed zone transfers. Its an internal caching DNS (W2K) particularly large DNS queries/responses. The high source port number of 46069 would lead me to believe the remote end initiated the connection. Why should this happend?? Any threat?? If you're not running a DNS server, I'd say the traffic is some sort of scan or probe, and should be denied. If you're actually running a DNS server, I DO (see above) but I (mis?)understand that if zone transfers are not allowed (nor wanted) why will someone try to do a transfer to my system??? Looking for bind?? this traffic isn't so unusual...you should look into references on packet filtering and securing your DNS server...if you simply drop inbound TCP queries, you can cause delays in name resolution for your domains, but fully securing DNS is beyond the scope of this e-mail, and your original question. Where and how?? Some pointers (links may be?) HTH, Helped a LOT!!! Thanks Charles Sergio ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: DNS Blocked packets (was RE: [Leaf-user] (no subject))
Can anyone help figuring out what's wrong (or may be right) The packets are TCP (protocol 6) with a source port of 46069 and a destination port of 53. This is pretty wierd. Port 53 is for DNS, but typically DNS queries only use UDP. TCP packets to/from port 53 *ARE* used to do zone transfers, and occasionally to transfer Fun is I have a DNS server but I have disallowed zone transfers. Its an internal caching DNS (W2K) TCP is used for normal queries, as well as zone transfers. particularly large DNS queries/responses. The high source port number of 46069 would lead me to believe the remote end initiated the connection. Why should this happend?? Any threat?? It's part of how DNS works...to determine any threat, you'd have to look at the acutal contents of the packet and see if it's a normal query, an attempted buffer overflow, an attempted zone transfer, etc... If you're not running a DNS server, I'd say the traffic is some sort of scan or probe, and should be denied. If you're actually running a DNS server, I DO (see above) but I (mis?)understand that if zone transfers are not allowed (nor wanted) why will someone try to do a transfer to my system??? Looking for bind?? TCP is used for more than just zone reqests...again, if you really want to know exactly what these packets are, you'll have to dump them and examine the contents. It's not as simple as if I'm not doing zone transfers, all inbound TCP packets to port 53 are malicious. this traffic isn't so unusual...you should look into references on packet filtering and securing your DNS server...if you simply drop inbound TCP queries, you can cause delays in name resolution for your domains, but fully securing DNS is beyond the scope of this e-mail, and your original question. Where and how?? Some pointers (links may be?) There are lots of resources for securing bind available online. A quick google search will turn up lots of howtos. As for understanding DNS, and how/why TCP packets are used for resolver queries, see any book or online info on DNS in general...the DNS RFC's (and the source-code of your name-server) are, of course, the ultimate source of information, but for a practical discussion of packet-filtering aspects of DNS, you probably can't go wrong with O'Reilly's Building Internet Firewalls. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: DNS Blocked packets (was RE: [Leaf-user] (no subject))
This question comes up from time to time. After much research and worrying, it usually turns out to be the results of a class of tools represented by a product called Big IP. This tool is sold to companies that want to tailor the browsing experience of their visitors by positioning Web Servers around the net, and then pointing the browser to the nearest server. To do this, they flood you with a type of ping request to get a round trip time. You usually get hit by a few packets from a bunch of servers, all within a very short period of time. The quickest response wins, and you get redirected to that server. They have been using port 53 lately. If you review your logs, you'll find that these most often occur when you were browsing, and probably got one of those #$%# popup ads. Sean Thanks. Very clear and informative!! More comments inline I´m havin a lot of dnyed packets on port 53, like this one: Mar 14 13:46:13 tptrtr kernel: Packet log: input DENY eth0 PROTO=6 202.139.133.129:46069 200.45.110.178:53 L=44 S=0x00 I=0 F=0x T=237 (#65) The results of lising the rule are # ipchains -nvL --line-numbers 65 520 24564 DENY all l- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 n/a This is the catch all rule, which blocks any inbound traffic on the external interface that hasn't explicitly been allowed. Perfect!!! Can anyone help figuring out what's wrong (or may be right) The packets are TCP (protocol 6) with a source port of 46069 and a destination port of 53. This is pretty wierd. Port 53 is for DNS, but typically DNS queries only use UDP. TCP packets to/from port 53 *ARE* used to do zone transfers, and occasionally to transfer Fun is I have a DNS server but I have disallowed zone transfers. Its an internal caching DNS (W2K) particularly large DNS queries/responses. The high source port number of 46069 would lead me to believe the remote end initiated the connection. Why should this happend?? Any threat?? If you're not running a DNS server, I'd say the traffic is some sort of scan or probe, and should be denied. If you're actually running a DNS server, I DO (see above) but I (mis?)understand that if zone transfers are not allowed (nor wanted) why will someone try to do a transfer to my system??? Looking for bind?? this traffic isn't so unusual...you should look into references on packet filtering and securing your DNS server...if you simply drop inbound TCP queries, you can cause delays in name resolution for your domains, but fully securing DNS is beyond the scope of this e-mail, and your original question. Where and how?? Some pointers (links may be?) HTH, Helped a LOT!!! Thanks Charles Sergio ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
