Re: [Full-Disclosure] Strange TCP/IP DNS traffic

From: Skip Duckwall (skip_at_duckwall.net)
Date: 06/03/04

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 513-1] New log2mail packages fix format string vulnerabilities"
    To: full-disclosure@netsys.com
    Date: Thu, 3 Jun 2004 13:22:37 -0500 (CDT)
    
    

    On Thu, 3 Jun 2004, Shachar Shemesh wrote:

    > Hi all,
    >
    > A few days ago I started seeing outbound TCP connection on port 53,
    > aimed at the .com NS servers. These were blocked by the firewall. I
    > realize that this does not violate any RFC, but it's still unusual.

    TCP is used for DNS when the size of the UDP response exceeds 512 bytes.
    When this happens, the UDP response sets a truncated flag which tells the
    resolver to connect via TCP to get the whole thing. The only time I've
    seen this behavior in the last few years has been when sending mail to
    large ISP/businesses when the results of a MX record query exceed 512
    bytes. So blocking it outbound might result in E-mail not going through.

    >
    > The outbound traffic is not generated by the local bind installation,
    > which was asked to bind to port 53 for outbound traffic. Also,
    > /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I
    > understand such traffic should not be initiated by user programs.
    >

    This just tells the machine that it should use localhost for name
    resolution. Unless you have the world's biggest /etc/hosts file, you are
    probably running some sort of name server (bind/named for example)

    Alva Lease 'Skip' Duckwall IV
    skip at duckwall dot net
    CISSP, RHCE, SCSA

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 513-1] New log2mail packages fix format string vulnerabilities"

    Relevant Pages

    • Re: Packet Filter problems ?
      ... ISA server itself, I've good reasons to do so and it cannot be placed behind ... outbound TCP access on a specific remote port. ... dynamic port to a random remote port. ... 60000 Any Tcp Outbound ...
      (microsoft.public.isa)
    • Re: Cannot find server or DNS error
      ... If you are using a firewall, make sure port 443 tcp for https is open for outbound ...
      (microsoft.public.security)
    • Re: Setting up SMTP for outbound mail only
      ... TCP 53 is used for normal DNS recursion ... outbound + stateful TCP 53 is all that is necessary. ... that zone transfer is not possible from the Net at large. ...
      (microsoft.public.inetserver.iis.smtp_nntp)
    • Point32.exe
      ... The program which initiates ... Protocall is TCP (Outbound) and the Remote Address is ...
      (microsoft.public.windowsxp.security_admin)
    • Re: TCP Port 53 Closed
      ... There are many exploits due to handshake of TCP. ... > You also want to set the rules to allow outbound with a KEEPSTATE. ... > You may also allow the 53 UDP to your ISP DNS Server only and set the rules ...
      (comp.security.firewalls)