Hi Tim, Yeah, you have it right....back in April and May the discussion took place. It was finally tracked down to some annoying pop-up ads like the X-10 ad that triggered a flurry of DNS hits to locate an ad server close to your location. I can't remember the name of the company who had this brainstorm (30+ hits in 3 seconds?!?! WTF?).
But, if you had any popups lately, then I bet this is the cause of the log entries. Later Tony > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Hicks > Sent: Thursday, September 27, 2001 19:16 > To: Charles Steinkuehler; [EMAIL PROTECTED] > Subject: [Leaf-user] tcp packets to dns port (was Re: Dachstein-pr3 > available) > > Charles, > > that's great. All the dmz problems appear to have gone away, > and everything > seems to be working as it should. Thanks very much. > > I do have one niggle though. My logs have quickly filled up > with this sort > of thing... > > Sep 27 23:45:02 glenmore kernel: Packet log: input DENY eth0 PROTO=6 > 203.208.128.70:35587 213.105.191.213:53 L=44 S=0x00 I=0 > F=0x0000 T=242 (#47) > Sep 27 23:45:02 glenmore kernel: Packet log: input DENY eth0 PROTO=6 > 202.139.133.129:56100 213.105.191.213:53 L=44 S=0x00 I=0 > F=0x0000 T=239 > (#47) > Sep 27 23:45:02 glenmore kernel: Packet log: input DENY eth0 PROTO=6 > 203.194.166.182:43201 213.105.191.213:53 L=44 S=0x00 I=0 > F=0x0000 T=232 > (#47) > Sep 27 23:45:02 glenmore kernel: Packet log: input DENY eth0 PROTO=6 > 203.208.128.70:35613 213.105.191.213:53 L=44 S=0x00 I=0 > F=0x0000 T=242 (#47) > > > I realise that these are tcp packets inbound to my dns port > (53), but they > don't appear to be from the dns root-servers (which was the > case last time > something like this happened). I seem to remember a thread > on either this, > or the linux-router list that discussed something like this a > little while > ago. If I remember correctly, the conclusion was that it was > down to some > flakey sort of load-balancing system, but I could be wrong on that. I > searched the lists on geocrawler, but I couldn't turn up what > I was looking > for. > > I just want to check if I'm better opening up tcp_port_53, or simply > silently denying all these packets? If I deny them, isn't there a > possibility of certain dns queries failing if the response is > too large? If > I open the port, do I leave myself in more insecure position, > given that I > (think I) have a program that is listening on this port i.e. dnscache. > > cheers > > tim > > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user