sshd doing dns queries on localhost?

From: Fernando Schapachnik (fernando_at_mecon.gov.ar)
Date: 05/26/03

  • Next message: G.P. de Boer: "Re: sshd doing dns queries on localhost?" 
    Date: Mon, 26 May 2003 13:32:55 -0300
To: freebsd-security@freebsd.org

    Hi,
            I noted on my 4.7 machines that when a ssh conection is made, the
    following PTR query happens (10.11.1.11 is the src address in the example):

    13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR?
    11.1.11.10.in-addr.arpa. (41)
    13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR?
    11.1.11.10.in-addr.arpa. (41)
    13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR?
    11.1.11.10.in-addr.arpa. (41)
    13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR?
    11.1.11.10.in-addr.arpa. (41)

            This is very weird because resolv.conf points to another server. Also,
    the capture is from lo0.

            Not that I see a security problem here (just the annoyance of this
    filling my log_in_vain logs), but I'm curious about the reason; at least didn't
    find any clue looking at source.

    May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523
    May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524
    May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525
    May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526

            Thanks for any pointer!

            Regards!

    Fernando.
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: G.P. de Boer: "Re: sshd doing dns queries on localhost?"

    Relevant Pages

    • Re: false portscan alarm
      ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
      (comp.security.firewalls)
    • Re: memset question!
      ... parameter is also a *byte* fill pattern. ... So, filling an integer with ... 11, like above will fill it with hex 0x0B0B0B0B, or decimal ... For that reason, memset's middle parameter is best passed ...
      (microsoft.public.vc.language)
    • Re: dsn=5.0.0, stat=Service unavailable
      ... The reason will be in the logs of 10.0.0.12 ... But sendmail tries to send the bounce to the same host (due to your ... This should result in sendmail leaving the message in the local queue, ... So, check the logs on 10.0.0.12, check those "suspended" files in the ...
      (comp.mail.sendmail)
    • Re: adding rowids to a fragd table
      ... My ltxhwm is set at 45 which is approx 54 logs. ... I'm filling the logs is because how fast it gets into the long trans. ...
      (comp.databases.informix)
    • Re: Recommendations for ultra-portable weather stations
      ... The 4000 logs, the lower models don't. ... watching an eclipse (or sleeping in a tent ... ... up a tall building in a lift, the pressure begins to fall as soon as ... Apart from exposure to outgoing radiation, no reason why not ...
      (uk.sci.weather)