named responding to port 80
Steven Parsons
sparsons at columbus.rr.com
Mon Mar 25 17:34:31 UTC 2002
I have been stumped with this for a couple days now so whoever can provide
insight it is going to be greatly appreciated.
I have a bind server 8.2.3-REL running on Sun OS which for some reason
unknown to me at times answer's DNS requests to port 80. This is causing
a small amount (one right now that im aware) of users to assume they are
code red probe's and myNewWatchman is sending alerts to my ISP.
I feel very confident the server is secured - is only running Bind & SSH.
I fell this is just something bind does at time's (port forwarding ?) but that I
can not find documented or in the news group's.
Below you can see some snip's of a couple snoop sessions and one more
verbose showing the originating port being 53.
Any additional information will be very much appreciated.
Thanks
Steven B. Parsons
my.dns.server.com -> 192.116.207.178 HTTP C port=17601
my.dns.server.com -> belly.worldaccessnet.com HTTP C port=49476
my.dns.server.com -> cisco-gw.worldaccessnet.com HTTP C port=49476
my.dns.server.com -> 12.39.160.31 HTTP C port=49476
my.dns.server.com -> 63.149.183.31 HTTP C port=49476
my.dns.server.com -> 192.116.207.178 HTTP C port=17601
my.dns.server.com -> 203.196.69.64 DNS R port=80
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 1 arrived at 12:09:0.09
ETHER: Packet size = 54 bytes
ETHER: Destination = 0:0:c:7:ac:a, Cisco
ETHER: Source = 8:0:20:9a:2e:f2, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 14581
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 52 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 90f8
IP: Source address = 65.X.X.X, my.dns.server.com
IP: Destination address = 168.215.146.79, 168-215-146-79.gen.twtelecom.net
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 53
TCP: Destination port = 80 (HTTP)
TCP: Sequence number = 0
TCP: Acknowledgement number = 0
TCP: Data offset = 20 bytes
TCP: Flags = 0x04
TCP: ..0. .... = No urgent pointer
TCP: ...0 .... = No acknowledgement
TCP: .... 0... = No push
TCP: .... .1.. = Reset
TCP: .... ..0. = No Syn
TCP: .... ...0 = No Fin
TCP: Window = 0
TCP: Checksum = 0x3279
TCP: Urgent pointer = 0
TCP: No options
TCP:
DNS: ----- DNS: -----
DNS:
DNS: ""
DNS:
More information about the bind-users
mailing list