Netscreen FW product bug, perhaps? (was RE: unsolicited spam packets from DNS servers?)
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Feb 25 06:25:19 UTC 2003
>
>
> > From: marka at isc.org [mailto:marka at isc.org] On Behalf Of
> > You are making queries but not allowing the replies back.
> > Look at your logs. All the allowed traffic is outgoing.
> ---
> Yeah, that's what I thought at first too. But then
> someone kicked me and said "well, if that's true, how are
> you getting any name resolution whatsoever?" A bit
> more "digging"...The "R:xxxx, in the "->" lines is "received
> bytes", S:xxx is "sent bytes". So even though there is
> a "->", that simply means it was 'initiated' from within,
> the 'response' is counted as part of the 'initiated' query.
>
> > All the blocked traffic in incoming. The blocked traffic
> > is heading to the port the allowed traffic comes from.
> ----
> I'm not allowing "unsolicited" responses to be coming
> back. There are responses back in the "->" lines,
>
>
> >
> > You are blocking replies and pounding the root servers
> > with queries that you are ignoring.
> ...
>
> Looking at the 'pounding' sections, I see some amount of
> 'pounding', followed by a successful "session":
>
> (1) 99 HostA:34118 |< g.gtld-servers.net :53
> " x5
> (2) 99 HostA:34118 |< buchu.arin.net :53
> " x4
> (3) 99 HostA:34118 |< a3.NSTLD.COM :53
> " x7
> (4),3 6 HostA:34118 -> j.gtld-servers.net :53 ;R: 226; S: 82
> (5),5 6 HostA:34118 -> g.gtld-servers.net :53 ;R: 247; S: 552
> (6),3 6 HostA:34118 -> a3.NSTLD.COM :53 ;R: 445; S: 784
> (7),3 6 HostA:34118 -> ns-ext.vix.com :53 ;R: 231; S: 88
> (8),3 6 HostA:34118 -> buchu.arin.net :53 ;R: 329; S: 488
> ^-duration in seconds
> ---
> This is just weird. The FW box in question is a "Netscreen
> 5xp". But (I need to fix log so seconds get recorded)
> I can see several replies from the servers come in before
> one that the netscreen box considers "matching", and then it
> "closes" the "request-session" and logs it as successful. For
> brevity, I abbreviated multiple rejects with the number of lines
> deleted (" x5 = repeated 5 times).
>
> This is crappy. I'll try to see if I can get anything out
> of the Netscreen support people, but they haven't been able to
> explain why their log formats differ in email vs. syslog vs.
> their documentation yet, so dunno about why it would be
> dropping traffic. Weird.
>
> -linda
I suspect that it is just doing DNS query id matching
and blocking all replies after the first one. BIND 8
will use the same ID when taking to multiple servers.
Your firewall is blocking legitimate replies.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list