On Sun, Feb 04, 2001 at 08:13:43PM +0100, Gustav Schaffter wrote:
> Any idea of why I get so many packets on port 53? DENY'd so far, but...
TCP or UDP? Both are used by DNS but for generally different tasks.
> Yes, I do let in all ! -y packets from my two DNS servers and also from
> the 13 root servers.
But if your name servers are authoritative for your zones, you
could be getting referred/redirected requests from anywhere in the world
where someone is querying a name in that zone (should generally be UDP
of course).
> Should there be any traffic from the root servers? I run my own DNS with
> forwards to the two DNS servers of my ISP.
Possible. If those name servers are registered as Primary or a
Secondary for any zones then, yes, I would expect to see periodic traffic
from the root name servers as well as resolvers from everywhere. If they
are caching only and not registered with the Internic and root name servers,
you can still get redirect responses back from them.
Generally, the root name servers should redirect a request from
a resolver to the name servers which are registered for that zone. It
may also be possible for them to forward the request recursively as well.
Each would result in different traffic. Redirected traffic should come
directly from the requesting resolver. Recursive traffic would come from
the last name server handling the request. Redirection should be preferable
for a root name server to reduce the load on handling the query traffic.
But the root name servers themselves may require zone information that
may be contained in the SOA records or NS records, as well.
You should not be seeing TCP traffic on 53 unless requests are
larger than what can be handled in a single UDP packet. Those are
typically zone transfers and you probably don't want that.
Basically, if you run, register, and advertise an authoritative
DNS server, you can expect DNS traffic from anywhere at any time. If you
are running a caching only name server, you can expect responses to come
back from just about any name server. If your request is redirected to
another name server, instead of being recursively forwarded, the final
response traffic should come from the authoritative servers. You may
get redirect traffic back from the root name servers as well. So again,
you can expect traffic (mostly UDP) from just about any other name server
on the net.
> Regards
> Gustav
> "Michael H. Warfield" wrote:
> >
> > On Sun, Feb 04, 2001 at 12:15:19PM -0600, Mikkel L. Ellertson wrote:
> > > Did I miss an update, or do I have a cracker that is out of date? I
> > > have someone trying to connect up to port 515 (printserver) on my
> > > firewall. He/she/it isn't having much luck so far... ;-)
> >
> > Probably someone looking to break into LPRng that came on the
> > original (pre respin) RedHat 7.0. The Ramen worm, in particular, tries
> > to break in this way. The majority of RedHat 7.0 should be safe. Your
> > only worry is if you used the original ISO images (not a purchased
> > version or the respin version) or built the system prior to the
> > LPRng update. Ramen checks the banner from ftp to see if you are
> > running a RedHat 7.0 site, so a lot of RedHat 7.0 systems will get
> > hammered by LPR requests, even if they are not vulnerable, if they
> > have ftp enabled. Ramen is resulting in very significant increases
> > in port scanning on ports 21 and 111 plus some port probing to 515.
> >
> > > Mikkel
>
> --
> pgp = Pretty Good Privacy.
>
> To get my public pgp key, send an e-mail to: [EMAIL PROTECTED]
>
> Visit my web site at http://www.schaffter.com
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
