Strange firewall entries udp53
Kevin Darcy
kcd at daimlerchrysler.com
Tue Oct 29 00:27:03 UTC 2002
Simon Johnson wrote:
> Hi,
>
> I'm running Bind 8.3.3-REL as part of my FreeBSD 4.6.2 distro.
>
> It is configured as a caching only name-server querying the root name
> servers as my providers DNS is notoriously unreliable.
>
> Periodically I receive the following hits on my firewall and am at a
> complete loss to understand why?
>
> 28500 Deny ICMP:8.0 64.0.96.12 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 64.14.117.10 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 204.176.88.5 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 64.15.251.198 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 65.119.25.162 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 208.185.54.14 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 213.61.6.2 xxx.xxx.xxx.xxx in via fxp1
> 28500 Deny ICMP:8.0 212.62.17.145 xxx.xxx.xxx.xxx in via fxp1
> repated x3
>
> 28600 Deny UDP 64.0.96.12:1852 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 64.14.117.10:58781 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 204.176.88.5:3484 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 64.15.251.198:44544 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 65.119.25.162:50195 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 208.185.54.14:63340 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 212.62.17.145:9886 xxx.xxx.xxx.xxx:53 in via fxp1
> 28600 Deny UDP 213.61.6.2:44915 xxx.xxx.xxx.xxx:53 in via fxp1
> repeated x2
>
> *** named.conf
>
> options {
> directory "/";
> named-xfer "/bin/named-xfer";
> version "Yeah Right!";
> notify no;
> query-source address * port 5300;
> listen-on {
> 192.168.42.10;
> };
> allow-query {
> 192.168.42.0/24;
> 192.168.40.0/24;
> 127.0.0.1;
> };
> allow-transfer {
> 127.0.0.1;
> };
> };
>
> zone "." IN {
> type hint;
> file "/master/named.root";
> };
>
> zone "localhost" IN {
> type master;
> file "/master/localhost";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" IN {
> type master;
> file "/master/0.0.127.in-addr.arpa";
> };
>
> zone "optus.cable" IN {
> type master;
> file "/master/optus.cable";
> };
>
> zone "0.38.10.IN-ADDR.ARPA" IN {
> type master;
> file "/master/0.38.10.in-addr.arpa";
> };
>
> zone "100.168.192.IN-ADDR.ARPA" IN {
> type master;
> file "/master/100.168.192.in-addr.arpa";
> };
>
> zone "melton.gve" IN {
> type master;
> file "/master/melton.gve";
> allow-update {
> 192.168.42.10;
> };
> };
>
> zone "42.168.192.IN-ADDR.ARPA" IN {
> type master;
> file "/master/42.168.192.in-addr.arpa";
> allow-update {
> 192.168.42.10;
> };
> };
>
> Can anyone shed some light on what is happening here?
Well, they look like they might be probes of some sort. Maybe someone
sees -- don't ask me how -- that your address has started sending and
receiving DNS packets and based on that information is probing you on
the offchance that you're running a vulnerable version of BIND listening
to external queries.
- Kevin
More information about the bind-users
mailing list