Strange firewall entries udp53

Tue Oct 29 00:27:03 UTC 2002

Simon Johnson wrote:

> Hi,
>
> I'm running Bind 8.3.3-REL as part of my FreeBSD 4.6.2 distro.
>
> It is configured as a caching only name-server querying the root name
> servers as my providers DNS is notoriously unreliable.
>
> Periodically I receive the following hits on my firewall and am at a
> complete loss to understand why?
>
> 28500 Deny ICMP:8.0 64.0.96.12 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 64.14.117.10 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 204.176.88.5 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 64.15.251.198 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 65.119.25.162 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 208.185.54.14 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 213.61.6.2 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 212.62.17.145 xxx.xxx.xxx.xxx in via fxp1
> repated x3
>
> 28600 Deny UDP 64.0.96.12:1852 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 64.14.117.10:58781 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 204.176.88.5:3484 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 64.15.251.198:44544 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 65.119.25.162:50195 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 208.185.54.14:63340 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 212.62.17.145:9886 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 213.61.6.2:44915 xxx.xxx.xxx.xxx:53 in via fxp1
> repeated x2
>
> *** named.conf
>
> options {
>         directory "/";
>         named-xfer "/bin/named-xfer";
>         version "Yeah Right!";
>         notify no;
>         query-source address * port 5300;
>         listen-on {
>                 192.168.42.10;
>         };
>         allow-query {
>                 192.168.42.0/24;
>                 192.168.40.0/24;
>                 127.0.0.1;
>         };
>         allow-transfer {
>                 127.0.0.1;
>         };
> };
>
> zone "." IN {
>         type hint;
>         file "/master/named.root";
> };
>
> zone "localhost" IN {
>         type master;
>         file "/master/localhost";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" IN {
>         type master;
>         file "/master/0.0.127.in-addr.arpa";
> };
>
> zone "optus.cable" IN {
>         type master;
>         file "/master/optus.cable";
> };
>
> zone "0.38.10.IN-ADDR.ARPA" IN {
>         type master;
>         file "/master/0.38.10.in-addr.arpa";
> };
>
> zone "100.168.192.IN-ADDR.ARPA" IN {
>         type master;
>         file "/master/100.168.192.in-addr.arpa";
> };
>
> zone "melton.gve" IN {
>         type master;
>         file "/master/melton.gve";
>         allow-update {
>                 192.168.42.10;
>         };
> };
>
> zone "42.168.192.IN-ADDR.ARPA" IN {
>         type master;
>         file "/master/42.168.192.in-addr.arpa";
>         allow-update {
>                 192.168.42.10;
>         };
> };
>
> Can anyone shed some light on what is happening here?

Well, they look like they might be probes of some sort. Maybe someone
sees -- don't ask me how -- that your address has started sending and
receiving DNS packets and based on that information is probing you on
the offchance that you're running a vulnerable version of BIND listening
to external queries.

- Kevin