Possible System Compromise
Jim Reid
jim at rfc1035.com
Wed Feb 7 15:02:06 UTC 2001
>>>>> "Martin" == Martin McCormick <martin at dc.cis.okstate.edu> writes:
Martin> We have gotten two complaints regarding traffic from a
Martin> name server in our domain sending queries on port 42061.
Martin> Does this have anything to do with bind or is it
Martin> possibly some other service on the system that has been
Martin> compromised?
Maybe. By default BIND uses a random, unprivileged port number when
sending queries to other name servers. The chances are that port 42061
is the one your name server is currently using for that purpose,
assuming it runs BIND of course. Whether this means your system your
system has been compromised is hard to say. There's usually lots of
other evidence - like zapped logs or altered password files - if
there's been a break-in.
If somebody is complaining about that port number, they need to get a
clue. There's nothing in the DNS protocol which mandates the source
port number for sending queries: either by servers or stub resolvers.
In the old days of BIND4, the server sent its queries from port 53 and
some people encoded that in their firewall and router access filters.
Maybe you're being bitten by that legacy behaviour? BTW the
query-source clause can be used in current versions of BIND to set
the source port number on outgoing queries.
More information about the bind-users
mailing list