port 53 Questions (port Scans)

Mark_Andrews at isc.org Mark_Andrews at isc.org
Sat Jan 26 03:50:11 UTC 2002 

> Hello ,
> 
> [root at echelon conf]# nslookup 193.2.1.66
> Server:  localhost
> Address:  127.0.0.1
> 
> Name:    kanin.arnes.si
> Address:  193.2.1.66
> 
> [root at echelon conf]# nslookup 203.116.23.60
> Server:  localhost
> Address:  127.0.0.1
> 
> Name:    web1.asia1.com.sg
> Address:  203.116.23.60
> 
> Name:    nic.unh.edu
> Address:  132.177.128.99
> 
> [root at echelon conf]# nslookup 132.177.128.99
> Server:  localhost
> Address:  127.0.0.1
> 
> Name:    nic.unh.edu
> Address:  132.177.128.99
> 
> [root at echelon conf]# nslookup 196.4.160.14
> Server:  localhost
> Address:  127.0.0.1
> 
> Name:    apollo11.is.co.za
> Address:  196.4.160.14
> 
> Since blocking port 53 on my firewall to all but my secondary DNS providers
> IP addresses my firewall is showing an awful lot of  port 53 queries to my
> machine. Above are just a few from one day.

	Well if you list you machine as a nameserver you should expect
	queries.  If you don't want queries remove the NS for it and
	don't forget to update the delegation.

	Mark

; <<>> DiG 8.3 <<>> ns eziekiel.com 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 5
;; QUERY SECTION:
;;	eziekiel.com, type = NS, class = IN

;; ANSWER SECTION:
eziekiel.com.		1d23h57m33s IN NS  NS.eziekiel.com.
eziekiel.com.		1d23h57m33s IN NS  NS1.EASYDNS.com.
eziekiel.com.		1d23h57m33s IN NS  NS2.EASYDNS.com.
eziekiel.com.		1d23h57m33s IN NS  REMOTE1.EASYDNS.com.
eziekiel.com.		1d23h57m33s IN NS  REMOTE2.EASYDNS.com.

;; ADDITIONAL SECTION:
NS.eziekiel.com.	1d23h57m33s IN A  203.22.141.148
NS1.EASYDNS.com.	1d23h57m33s IN A  216.220.40.243
NS2.EASYDNS.com.	1d23h57m33s IN A  216.220.40.244
REMOTE1.EASYDNS.com.	1d23h57m33s IN A  64.39.29.212
REMOTE2.EASYDNS.com.	1d23h57m33s IN A  212.100.224.80

;; Total query time: 2 msec
;; FROM: drugs.dv.isc.org to SERVER: default -- 127.0.0.1
;; WHEN: Sat Jan 26 14:49:50 2002
;; MSG SIZE  sent: 30  rcvd: 215

> 
> Any thoughts/ideas why there are so many & are they harmless requests or
> could these be infected machines scanning for vulnerable Bind systems.
> 
> I am authoritative for only my domain (eziekiel.com) Secondary nameservers
> being those at easydns.com ( 4
> nameservers in total). I have opened my firewall to only those 4 machines IP
> addresses.
> 
> 
> Just curious
> 
> Regards
> 
> Andrew
> 
> 
> 
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list