On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: > On 5/31/2011 2:38 PM, Supersonic wrote: >> I have a BIND 9.8.0-P2 server instance running on a production server. > > Doing what, exactly? Resolving internal names only? Resolving Internet names? > Acting as an authoritative server for internal clients? Internet clients? > Some combination of the above? > >> My firewall is showing repeated attempts by named.exe to connect to IP >> addresses in foreign countries on ports 6666, 6667 and 6669 - common IRC >> ports used by worms/trojans/zombies. Checking my named.exe file, it shows >> that it is unchanged from the installation source. Is this connection >> normal? Should I be allowing it? >> > TCP connections or UDP packets? > > If you're serving authoritative data to Internet clients, then my guess is > your firewall simply isn't "stateful" enough to realize that these are > responses to DNS queries that originally came in from Internet clients using > those port numbers. Just because they are "common IRC ports used by > worms/trojans/zombies" doesn't preclude them from also being chosen at random > as the source ports of incoming queries to your nameserver. Responses go back > to the same port from which the query was received.
Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being "helpful".... W > > If they're outgoing TCP connections, I'd be worried. Offhand, I can't think > of any legitimate reason why named would be trying to TCP-connect to any port > other than 53. > > > - > Kevin > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
