Re: Portscan from DNS server?
From: Sven Pran (no.direct@mail.please)Date: 06/10/02
- Next message: Pete: "Re: Here's the Information on My Attacker"
- Previous message: : "Windows ME, ICS & firewall problems - BIG SYMPTOM"
- In reply to: : "Re: Portscan from DNS server?"
- Next in thread: : "Re: Portscan from DNS server?"
- Reply: : "Re: Portscan from DNS server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Sven Pran" <no.direct@mail.please> Date: Mon, 10 Jun 2002 05:15:45 GMT
"Andrew Norman" <andy@norman.cx> wrote in message
news:l8r7gucuhmhacuel6l9iuehv78rsroaqkm@4ax.com...
> On Sun, 09 Jun 2002 20:56:23 GMT, "Sven Pran" <no.direct@mail.please>
> wrote:
>
> >With an ADSL connection and a DLINK DI-804 router/gateway/firewall
> >between the ADSL modem and my local network I installed the free
> >version of ZoneAlarm to see if it has any merits in addition to DI-804.
> >
> >Apparently yes, it began reporting what appeared to be a portscan
> >(starting with port 1025 and working its way up).
> >
> >A little investigation revealed that the "intruder" was actually the
> >primary DNS server whose address had been obtained by the DI-804
> >from DHCP when I last started my ADSL connection.
> >
> >So now I have some questions:
> >
> >Is there any legitimate reason for DNS to perform a portscan like
> >this?
>
> These are not portscans. These are replies from the DNS server to DNS
> queries you have made. You need to allow TCP/UDP traffic from port 53
> through your firewall for DNS queries to work properly.
Thanks - that sounds reasonable, except that I did not notice any
malfunction (DNS lookup failure) during the hours when ZoneAlarm
reported all such traffic being blocked?
So how do I best configure ZoneAlarm to not bother about this particular
traffic? Temporarily I have added the actual IP addresses to my local
zone, but as the DNS addresses are received from DHCP I believe I
have no guarantee (and should not depend upon) that they might not
change in the future.
Is it safe to open for any and all incoming traffic from port 53 regardless
of IP address?
regards Sven
- Next message: Pete: "Re: Here's the Information on My Attacker"
- Previous message: : "Windows ME, ICS & firewall problems - BIG SYMPTOM"
- In reply to: : "Re: Portscan from DNS server?"
- Next in thread: : "Re: Portscan from DNS server?"
- Reply: : "Re: Portscan from DNS server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
