RE: strange traffic on UDP port 53

From: Mike (mike_at_coenholdings.ie)
Date: 06/06/03

  • Next message: Dayne Jordan: "IRC botnets"
    To: "'Ronald Belchez'" <meukone@yahoo.co.uk>, <incidents@securityfocus.com>
    Date: Fri, 6 Jun 2003 08:39:52 +0100
    
    

    After deploying a new mail server/internet gateway (behind a firewall) I
    found a similar problem with packets being stopped by our firewall.
    After performing an nslookup on the "offending" IP address I found it
    belonged to our ISP. On querying them about this odd behavior the
    explanation given (and other evidence seems to bear this out) was that
    our mail server was performing DNS lookups for the delivery of mail and
    on behalf of our internal network as it was configured as a forwarder
    because it was behind a firewall. The IP address in question was merely
    replying to DNS queries which had been forwarded to it by our ISPs'
    primary DNS server and as the firewall would only allow DNS replies
    through from certain IP addresses it was stopping any others. The
    incrementing of the source ports you are seeing is due to the fact that
    when the DNS reply is not acknowledged by the target system it tries
    again on the next available port.
    It is only usually a minor inconvenience (although the other day one
    server filled my firewall log 4 times and I was alerted to possible port
    scans a number of times during the day). If it bothers you too much try
    filtering the logs to remove the offending entries or you can allow all
    port 53 traffic in (unless like me you suffer from paranoid delusions
    that everyone on the internet is out to get you).

    -----Original Message-----
    From: Ronald Belchez [mailto:meukone@yahoo.co.uk]
    Sent: 04 June 2003 22:14
    To: incidents@securityfocus.com
    Subject: strange traffic on UDP port 53

    Hi All,

    We don't have a firewall and is just relying on Access-list on our
    border

    router. After i applied the new access-list I am continously receiving

    the logs showed below. The destination IP is our mail server (not
    running

    any DNS service) while the source IP (unsolicited and using source port

    with some sort of incremental patterm, the denied packets logs is also

    continuous now for about 4 days) I am not aware of any trojan or worm

    using the below. I already tried searching google but cannot find the

    explanation or something that might help me understand the below....

    Please advise.

    --logs starts here---

    denied udp XX7.Y3.71.242(54067) -> XX3.Y1.246.66(53), 1 packet

    denied udp XX7.Y3.71.242(54070) -> XX3.Y1.246.66(53), 1 packet

    denied udp XX7.Y3.71.242(53967) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(53972) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(53979) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(53989) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(54003) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(53982) -> XX3.Y1.246.66(53), 34 packets

    denied udp XX7.Y3.71.242(54009) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(54027) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(54035) -> XX3.Y1.246.66(53), 2 packets

    denied udp XX7.Y3.71.242(54042) -> XX3.Y1.246.66(53), 2 packets

    ------------------------------------------------------------------------

    ----
    ------------------------------------------------------------------------
    ----
    #####################################################################################
    Note:
    This message is for the named person's use only.  It may contain confidential,
    proprietary or legally privileged information.  No confidentiality or privilege
    is waived or lost by any mistransmission.  If you receive this message in error,
    please immediately delete it and all copies of it from your system, destroy any
    hard copies of it and notify the sender.  You must not, directly or indirectly,
    use, disclose, distribute, print, or copy any part of this message if you are not
    the intended recipient. Coen Holdings Ltd. and any of its subsidiaries each reserve
    the right to monitor all e-mail communications through its networks.
    Any views expressed in this message are those of the individual sender, except where
    the message states otherwise and the sender is authorized to state them to be the
    views of any such entity.
    Thank You.
    #####################################################################################
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Dayne Jordan: "IRC botnets"

    Relevant Pages

    • Website setup questions.
      ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
      (microsoft.public.windows.server.sbs)
    • Re: Bind as cache DNS and firewall
      ... I'm using Bind as a cache DNS for a public network. ... As it's UDP I think of UDP queries going from my cache server to other DNS server, and I catch their UDP responses in the firewall. ... So I should open my firewall for UDP on port 53 for all the world? ...
      (comp.protocols.dns.bind)
    • Re: Setting another machine as a firewall
      ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
      (freebsd-questions)
    • RE: strange traffic on UDP port 53
      ... Replies to DNS queries should be coming FROM port 53, ... > found a similar problem with packets being stopped by our firewall. ... The destination IP is our mail server (not ...
      (Incidents)
    • Re: Suspecious DNS traffic
      ... down an answer to a question, it would sent the remote authoritative DNS ... Then BIND randomised this 16 bit query ID which made it more difficult. ... We asked and received answers all on port 53. ... Your Firewall could be configured to allow BIND to do this. ...
      (comp.protocols.dns.bind)