Netscreen FW product bug, perhaps? (was RE: unsolicited spam packets from DNS servers?)

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Feb 25 06:25:19 UTC 2003 

> 
> 
> > From: marka at isc.org [mailto:marka at isc.org] On Behalf Of
> > 	You are making queries but not allowing the replies back.
> > 	Look at your logs.  All the allowed traffic is outgoing.
> ---
> 	Yeah, that's what I thought at first too.  But then
> someone kicked me and said "well, if that's true, how are
> you getting any name resolution whatsoever?"  A bit
> more "digging"...The "R:xxxx, in the "->" lines is "received
> bytes", S:xxx is "sent bytes".  So even though there is
> a "->", that simply means it was 'initiated' from within,
> the 'response' is counted as part of the 'initiated' query.
>
> > 	All the blocked traffic in incoming.  The blocked traffic
> > 	is heading to the port the allowed traffic comes from.
> ----
> 	I'm not allowing "unsolicited" responses to be coming
> back.  There are responses back in the "->" lines,
> 
> 
> >
> > 	You are blocking replies and pounding the root servers
> > 	with queries that you are ignoring.
> ...
> 
> 	Looking at the 'pounding' sections, I see some amount of
> 'pounding', followed by a successful "session":
> 
> (1)   99 HostA:34118 |< g.gtld-servers.net   :53
> 	" x5
> (2)   99 HostA:34118 |< buchu.arin.net       :53
> 	" x4
> (3)   99 HostA:34118 |< a3.NSTLD.COM         :53
> 	" x7
> (4),3  6 HostA:34118 -> j.gtld-servers.net   :53 ;R: 226; S:  82
> (5),5  6 HostA:34118 -> g.gtld-servers.net   :53 ;R: 247; S: 552
> (6),3  6 HostA:34118 -> a3.NSTLD.COM         :53 ;R: 445; S: 784
> (7),3  6 HostA:34118 -> ns-ext.vix.com       :53 ;R: 231; S:  88
> (8),3  6 HostA:34118 -> buchu.arin.net       :53 ;R: 329; S: 488
>     ^-duration in seconds
> ---
> 	This is just weird.  The FW box in question is a "Netscreen
> 5xp".  But (I need to fix log so seconds get recorded)
> I can see several replies from the servers come in before
> one that the netscreen box considers "matching", and then it
> "closes" the "request-session" and logs it as successful.  For
> brevity, I abbreviated multiple rejects with the number of lines
> deleted (" x5 = repeated 5 times).
> 
> 	This is crappy.  I'll try to see if I can get anything out
> of the Netscreen support people, but they haven't been able to
> explain why their log formats differ in email vs. syslog vs.
> their documentation yet, so dunno about why it would be
> dropping traffic.  Weird.
> 
> -linda

	I suspect that it is just doing DNS query id matching
	and blocking all replies after the first one.  BIND 8
	will use the same ID when taking to multiple servers.

	Your firewall is blocking legitimate replies.
	
	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list