Re: [Dorset] [OT] DNS port number
On Friday, February 25, 2011 05:25:29 pm Ralph Corderoy wrote: > Hi Andrew, > > > Once a connection is made (an incoming connect request to an allowed > > port) accept(2) will grab another port so that the original port is > > free for further connect requests. > > For the benefit of others, since I know you really know this already > > :-), accept(2) creates another *socket* to handle the connection that's > > been made, not another port, so further connection requests on the > existing socket can be accepted. The port number is the same for both > sockets; that's fine since the 5-tuple overall with be distinct between > the two. > > Cheers, > Ralph. > > > -- > Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 > Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ > How to Report Bugs Effectively: http://goo.gl/4Xue Yup! sincerest apologies. You are of course right - its the 5-tuple that identifies the endpoint. Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Hi Andrew, > Once a connection is made (an incoming connect request to an allowed > port) accept(2) will grab another port so that the original port is > free for further connect requests. For the benefit of others, since I know you really know this already :-), accept(2) creates another *socket* to handle the connection that's been made, not another port, so further connection requests on the existing socket can be accepted. The port number is the same for both sockets; that's fine since the 5-tuple overall with be distinct between the two. Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Hi Tim, > So these inbound TCP\UDP based request, should I continue to block > them? Hard to say without investigating to find out if you're sending out questions and these are the valid replies. Then you may decide to stop sending questions out instead, e.g. find that errant thing using Google when you don't intend it to. If you don't want to do that and everything appears to be working then you could just ignore them. Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Thursday, February 24, 2011 07:06:34 pm Tim wrote: > On Thursday 24 February 2011 00:15:10 Ralph Corderoy wrote: > > Hi Dan, > > > > > On Wednesday 23 February 2011 23:12:31 Dan Dart wrote: > > > > 8.8.8.8 is Google's DNS service. If you're using it, then that'll be > > > > why. The high port numbers are the responses. which were blocked :( > > > > > > I know 8.8.8.8 is google, I have had the same log entries when I was > > > using opendns IP (208.67.222.222). I realise that the log entry is > > > telling me that a port scan was blocked but I want to know why the dns > > > is scanning my system on high port numbers when the dns port number is > > > normal 53, is this high level port number scanning normal activity?? > > > > If I'm remembering my Stevens' correctly, and Andy Paterson will correct > > me if I'm wrong, IP packets use a 5-tuple to fully specify the > > "connection", e.g. TCP. Its members are > > > > protocol, local address, local port, remote address, remote port > > > > When my machine sends a DNS request to Google that tuple might be > > > > UDP, 87.113.175.32, 49681, 8.8.8.8, 53 > > > > 87... is my IP address at the moment, 8.8.8.8 and 53 you recognise as > > one of Google's DNS servers' IP addresses and the domain service's port > > number. The local port, 49681, has been picked randomly by my machine > > because the resolver software said it didn't care what the port number > > was so it just got a spare one. > > > > It's the well-known destination port, 53, that's important when > > initiating a request to a server. The server will see the address and > > port number of the peer, 87.113.175.32 and 49681, and send the reply > > there. > > > > No two duplicate 5-tuples exist at the same moment. If I ssh, port 22, > > from machine foo to machine bar in one terminal, and then do the same in > > another, the tuples may be > > > > TCP, foo, 41839, bar, 22 > > TCP, foo, 38220, bar, 22 > > > > It's the differing local port numbers that allow those two connections > > to exist at the same time; every other member of the tuple is > > identical. > > > > So back to your original issue, > > > > > TCP- or UDP-based Port Scan DETECTED on Wed Feb 23 22:21:20 2011 > > > Â targeting ***.***.***.***,61169, sent from 8.8.8.8,53 (*=my ip > > > address) > > > > 61169 is the local port number that Google's DNS server thinks > > originated the request that it's replying to. Your stateful firewall > > software thinks that's a port scan because it never saw the outgoing > > request or the request to Google didn't come from you and someone is > > spoofing your IP address. Or your firewall is buggy. :-) If they are > > spoofing you then they're probably not picking on you per se, it's just > > one of those things and this email is long enough already. > > > > As for why they still occur when you use OpenDNS, I guess it's because > > something on your LAN is still configured to use Google. You could use > > tcpdump or Wireshark on an appropriate machine to try and see the > > outgoing request. > > > > sudo tcpdump port domain > > > > Cheers, > > Ralph. > > So these inbound TCP\UDP based request, should I continue to block them? if > I allow them through how do I do it, do I need to forward them to > something on my netwrok possibly my firewall? > > Tim > > -- > Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 > Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ > How to Report Bugs Effectively: http://goo.gl/4Xue Hi, I stand corrected if I am wrong - but I beieve with TCP you are blocking CONNECT requests. There shouldn't be anything trying to connect to an unknown (high) TCP port [not specifcally allowed by your firewall] on your m/c - so yes - block them. Once a connection is made (an incoming connect request to an allowed port) accept(2) will grab another port so that the original port is free for further connect requests. The new port [your end of the tcp connection] will be an unused port in the range you are talking about - but this won't matter, since its the connect requests that are blocked not parts of an active tcp connection. However (as Ralph is pointing out) the firewall tries to recognise that a TCP message (datagram) is part of an established connection & if it doesnt think it is - for the reason Ralph gave - it will drop the datagram). With UDP (since its connectionless) you are simply blocking any datagrams (messages) destined to the specified port on your system. Just my 10C Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Thursday 24 February 2011 00:15:10 Ralph Corderoy wrote: > Hi Dan, > > > On Wednesday 23 February 2011 23:12:31 Dan Dart wrote: > > > 8.8.8.8 is Google's DNS service. If you're using it, then that'll be > > > why. The high port numbers are the responses. which were blocked :( > > > > I know 8.8.8.8 is google, I have had the same log entries when I was > > using opendns IP (208.67.222.222). I realise that the log entry is > > telling me that a port scan was blocked but I want to know why the dns > > is scanning my system on high port numbers when the dns port number is > > normal 53, is this high level port number scanning normal activity?? > > If I'm remembering my Stevens' correctly, and Andy Paterson will correct > me if I'm wrong, IP packets use a 5-tuple to fully specify the > "connection", e.g. TCP. Its members are > > protocol, local address, local port, remote address, remote port > > When my machine sends a DNS request to Google that tuple might be > > UDP, 87.113.175.32, 49681, 8.8.8.8, 53 > > 87... is my IP address at the moment, 8.8.8.8 and 53 you recognise as > one of Google's DNS servers' IP addresses and the domain service's port > number. The local port, 49681, has been picked randomly by my machine > because the resolver software said it didn't care what the port number > was so it just got a spare one. > > It's the well-known destination port, 53, that's important when > initiating a request to a server. The server will see the address and > port number of the peer, 87.113.175.32 and 49681, and send the reply > there. > > No two duplicate 5-tuples exist at the same moment. If I ssh, port 22, > from machine foo to machine bar in one terminal, and then do the same in > another, the tuples may be > > TCP, foo, 41839, bar, 22 > TCP, foo, 38220, bar, 22 > > It's the differing local port numbers that allow those two connections > to exist at the same time; every other member of the tuple is > identical. > > So back to your original issue, > > > TCP- or UDP-based Port Scan DETECTED on Wed Feb 23 22:21:20 2011 > > Â targeting ***.***.***.***,61169, sent from 8.8.8.8,53 (*=my ip > > address) > > 61169 is the local port number that Google's DNS server thinks > originated the request that it's replying to. Your stateful firewall > software thinks that's a port scan because it never saw the outgoing > request or the request to Google didn't come from you and someone is > spoofing your IP address. Or your firewall is buggy. :-) If they are > spoofing you then they're probably not picking on you per se, it's just > one of those things and this email is long enough already. > > As for why they still occur when you use OpenDNS, I guess it's because > something on your LAN is still configured to use Google. You could use > tcpdump or Wireshark on an appropriate machine to try and see the > outgoing request. > > sudo tcpdump port domain > > Cheers, > Ralph. So these inbound TCP\UDP based request, should I continue to block them? if I allow them through how do I do it, do I need to forward them to something on my netwrok possibly my firewall? Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Thursday 24 February 2011 08:23:59 Peter Merchant wrote: > Tim Wrote: > > I do have my own Firewall PC behind the router but I have been > > considering removing it as it is very old PC and an old firewall > > software. > > Someone on here was offering a PC in the Wimborne area if I remember > right. we can help get that to you. > > I found IpCop to be good firewall software. > > Peter It is OK, I don't need another PC to run any new Firewall software as I have a spare PC which could do the work. It just I am not sure if PC running firewall software will be any better than the existing Virgin\netgear cable router. With the virgin router I can't set the dns as they are inherited from Virgin but I have the option of port forwarding dmz etc. Just as a pointer, the old firewall is a P2\200mhz 64mb Viglen PC running IPCop 1.2, yes it is that old. I picked it up third hand and it has run pretty much 24\7 for the 8 years Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Yup, Ralph, that's how I see one abstraction of it... I get iptables panic when I use Skype. It uses lots of high UDPs for a hole punch. It eventually works though. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Tim Wrote: > > I do have my own Firewall PC behind the router but I have been considering > removing it as it is very old PC and an old firewall software. > Someone on here was offering a PC in the Wimborne area if I remember right. we can help get that to you. I found IpCop to be good firewall software. Peter -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Thursday, February 24, 2011 12:03:26 am Andrew Reid Paterson wrote: > On Wednesday, February 23, 2011 11:33:57 pm Tim wrote: > > On Wednesday 23 February 2011 23:22:14 Andrew Reid Paterson wrote: > > > On Wednesday, February 23, 2011 11:11:59 pm jr wrote: > > > > On 23 February 2011 23:03, Tim wrote: > > > > > Any thoughts? > > > > > > > > I'd look into setting up a DMZ box (if you've a spare machine), > > > > separating the internal network from the Virgin/BT/whatever supplied > > > > h/ware. extreme, admittedly, but what price peace of mind? > > > > > > Hi Tim, > > > I have precisely this kind of setup simply by having two network > > > interfaces on my main system which runs iptables and is connected vis > > > the internal lan cable and hub to a wireless repeater on which connect > > > to my wifi gadgets like ps3, nokia phone & bravia tv. > > > What I really like is the level of control I have from configuring > > > iptables right down to monitoring with wireshark and dhcp contro of > > > clients. Perish the thought of a cable wifi router. > > > incidentally, as Dan sys 8.8.8.8 is google dns. > > > Whya are you not using Virgins own dns - which can be set via dhcp? > > > Regards > > > Andy > > > > > > -- > > > > Hi Andy, I have been with NTL\Virgin a very long time (since it arrived > > in the bmth\Poole area, I was a tester) and in the early days NTL DNS > > were terrible, so I have been using non NTL\Virgin DNS for as long as I > > have been using NTL\Virgin cable. > > > > I do have my own Firewall PC behind the router but I have been > > considering removing it as it is very old PC and an old firewall > > software. > > > > While I am aware that 8.8.8.8 is google, I have had exactly the same > > problem when I was using opendns IP (208.67.222.222) > > > > Tim > > > > > > -- > > Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 > > Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ > > How to Report Bugs Effectively: http://goo.gl/4Xue > > Hi Tim, > I understand what you say - I do remember something about the DNS being > slow - once - indeed I tried changing to use something (prob not opendns at > the time) & I had problems I never managed to identify. So I switched back > to NTLs' servers and to be frank, I dont have any problems now (I suspect > this is poss. because NTL/virgin cable is relatively lightly loaded - cos > they are expensive!). > But as I say, I simply have my main system with an additional ethernet card > - so it behaves just like your old stand-alone firewall PC but its also my > server. > Its quite educational setting it up tho' particularily whan upgrading - but > then - its good fun (except you have no internet connection till you get it > right!). > Whatever is to your taste - I just do what works for me - whatever you do > - good luck. > Regards > Andy > > -- > Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 > Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ > How to Report Bugs Effectively: http://goo.gl/4Xue Hi again Tim, what I prob didn't make clear (but I'm sure you knew what I meant) is that I have an ethernet cable modem NOT a router. Regards Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Hi Dan, > On Wednesday 23 February 2011 23:12:31 Dan Dart wrote: > > 8.8.8.8 is Google's DNS service. If you're using it, then that'll be > > why. The high port numbers are the responses. which were blocked :( > > I know 8.8.8.8 is google, I have had the same log entries when I was > using opendns IP (208.67.222.222). I realise that the log entry is > telling me that a port scan was blocked but I want to know why the dns > is scanning my system on high port numbers when the dns port number is > normal 53, is this high level port number scanning normal activity?? If I'm remembering my Stevens' correctly, and Andy Paterson will correct me if I'm wrong, IP packets use a 5-tuple to fully specify the "connection", e.g. TCP. Its members are protocol, local address, local port, remote address, remote port When my machine sends a DNS request to Google that tuple might be UDP, 87.113.175.32, 49681, 8.8.8.8, 53 87... is my IP address at the moment, 8.8.8.8 and 53 you recognise as one of Google's DNS servers' IP addresses and the domain service's port number. The local port, 49681, has been picked randomly by my machine because the resolver software said it didn't care what the port number was so it just got a spare one. It's the well-known destination port, 53, that's important when initiating a request to a server. The server will see the address and port number of the peer, 87.113.175.32 and 49681, and send the reply there. No two duplicate 5-tuples exist at the same moment. If I ssh, port 22, from machine foo to machine bar in one terminal, and then do the same in another, the tuples may be TCP, foo, 41839, bar, 22 TCP, foo, 38220, bar, 22 It's the differing local port numbers that allow those two connections to exist at the same time; every other member of the tuple is identical. So back to your original issue, > TCP- or UDP-based Port Scan DETECTED on Wed Feb 23 22:21:20 2011 > Â targeting ***.***.***.***,61169, sent from 8.8.8.8,53 (*=my ip > address) 61169 is the local port number that Google's DNS server thinks originated the request that it's replying to. Your stateful firewall software thinks that's a port scan because it never saw the outgoing request or the request to Google didn't come from you and someone is spoofing your IP address. Or your firewall is buggy. :-) If they are spoofing you then they're probably not picking on you per se, it's just one of those things and this email is long enough already. As for why they still occur when you use OpenDNS, I guess it's because something on your LAN is still configured to use Google. You could use tcpdump or Wireshark on an appropriate machine to try and see the outgoing request. sudo tcpdump port domain Cheers, Ralph. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday, February 23, 2011 11:33:57 pm Tim wrote: > On Wednesday 23 February 2011 23:22:14 Andrew Reid Paterson wrote: > > On Wednesday, February 23, 2011 11:11:59 pm jr wrote: > > > On 23 February 2011 23:03, Tim wrote: > > > > Any thoughts? > > > > > > I'd look into setting up a DMZ box (if you've a spare machine), > > > separating the internal network from the Virgin/BT/whatever supplied > > > h/ware. extreme, admittedly, but what price peace of mind? > > > > Hi Tim, > > I have precisely this kind of setup simply by having two network > > interfaces on my main system which runs iptables and is connected vis > > the internal lan cable and hub to a wireless repeater on which connect > > to my wifi gadgets like ps3, nokia phone & bravia tv. > > What I really like is the level of control I have from configuring > > iptables right down to monitoring with wireshark and dhcp contro of > > clients. Perish the thought of a cable wifi router. > > incidentally, as Dan sys 8.8.8.8 is google dns. > > Whya are you not using Virgins own dns - which can be set via dhcp? > > Regards > > Andy > > > > -- > > Hi Andy, I have been with NTL\Virgin a very long time (since it arrived in > the bmth\Poole area, I was a tester) and in the early days NTL DNS were > terrible, so I have been using non NTL\Virgin DNS for as long as I have > been using NTL\Virgin cable. > > I do have my own Firewall PC behind the router but I have been considering > removing it as it is very old PC and an old firewall software. > > While I am aware that 8.8.8.8 is google, I have had exactly the same > problem when I was using opendns IP (208.67.222.222) > > Tim > > > -- > Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 > Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ > How to Report Bugs Effectively: http://goo.gl/4Xue Hi Tim, I understand what you say - I do remember something about the DNS being slow - once - indeed I tried changing to use something (prob not opendns at the time) & I had problems I never managed to identify. So I switched back to NTLs' servers and to be frank, I dont have any problems now (I suspect this is poss. because NTL/virgin cable is relatively lightly loaded - cos they are expensive!). But as I say, I simply have my main system with an additional ethernet card - so it behaves just like your old stand-alone firewall PC but its also my server. Its quite educational setting it up tho' particularily whan upgrading - but then - its good fun (except you have no internet connection till you get it right!). Whatever is to your taste - I just do what works for me - whatever you do - good luck. Regards Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
Yes - the RESPONSE is on high ports - which your router would normally let in because they are in the state ESTABLISHED or RELATED (hole punching). You can try blocking everything coming in on iptables - but you won't get any responses from anyone unless you let these packets in. Obviously your firewall was being too strict and disallowing them - and it kept trying on different ports. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday 23 February 2011 23:12:31 Dan Dart wrote: > 8.8.8.8 is Google's DNS service. If you're using it, then that'll be why. > The high port numbers are the responses. which were blocked :( > > -- I know 8.8.8.8 is google, I have had the same log entries when I was using opendns IP (208.67.222.222). I realise that the log entry is telling me that a port scan was blocked but I want to know why the dns is scanning my system on high port numbers when the dns port number is normal 53, is this high level port number scanning normal activity?? Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday 23 February 2011 23:22:14 Andrew Reid Paterson wrote: > On Wednesday, February 23, 2011 11:11:59 pm jr wrote: > > On 23 February 2011 23:03, Tim wrote: > > > Any thoughts? > > > > I'd look into setting up a DMZ box (if you've a spare machine), > > separating the internal network from the Virgin/BT/whatever supplied > > h/ware. extreme, admittedly, but what price peace of mind? > > Hi Tim, > I have precisely this kind of setup simply by having two network interfaces > on my main system which runs iptables and is connected vis the internal lan > cable and hub to a wireless repeater on which connect to my wifi gadgets > like ps3, nokia phone & bravia tv. > What I really like is the level of control I have from configuring iptables > right down to monitoring with wireshark and dhcp contro of clients. > Perish the thought of a cable wifi router. > incidentally, as Dan sys 8.8.8.8 is google dns. > Whya are you not using Virgins own dns - which can be set via dhcp? > Regards > Andy > > -- Hi Andy, I have been with NTL\Virgin a very long time (since it arrived in the bmth\Poole area, I was a tester) and in the early days NTL DNS were terrible, so I have been using non NTL\Virgin DNS for as long as I have been using NTL\Virgin cable. I do have my own Firewall PC behind the router but I have been considering removing it as it is very old PC and an old firewall software. While I am aware that 8.8.8.8 is google, I have had exactly the same problem when I was using opendns IP (208.67.222.222) Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On Wednesday, February 23, 2011 11:11:59 pm jr wrote: > On 23 February 2011 23:03, Tim wrote: > > Any thoughts? > > I'd look into setting up a DMZ box (if you've a spare machine), > separating the internal network from the Virgin/BT/whatever supplied > h/ware. extreme, admittedly, but what price peace of mind? Hi Tim, I have precisely this kind of setup simply by having two network interfaces on my main system which runs iptables and is connected vis the internal lan cable and hub to a wireless repeater on which connect to my wifi gadgets like ps3, nokia phone & bravia tv. What I really like is the level of control I have from configuring iptables right down to monitoring with wireshark and dhcp contro of clients. Perish the thought of a cable wifi router. incidentally, as Dan sys 8.8.8.8 is google dns. Whya are you not using Virgins own dns - which can be set via dhcp? Regards Andy -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
8.8.8.8 is Google's DNS service. If you're using it, then that'll be why. The high port numbers are the responses. which were blocked :( -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
Re: [Dorset] [OT] DNS port number
On 23 February 2011 23:03, Tim wrote: > Any thoughts? I'd look into setting up a DMZ box (if you've a spare machine), separating the internal network from the Virgin/BT/whatever supplied h/ware. extreme, admittedly, but what price peace of mind? -- regards, jr. time flies like an arrow, fruit flies like a banana. -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue
[Dorset] [OT] DNS port number
Recently I upgraded my Vigin TV package which resulted in Virgin supplying a new cablemodem (rebadged Netgear) for the cable internet (as opposed to the combined set top box unit previously). I have been watching the log files from the router out of idle curiostiy and have noticed a lot of blocked dns traffic with very high port number like this TCP- or UDP-based Port Scan DETECTED on Wed Feb 23 22:21:20 2011 targeting ***.***.***.***,61169, sent from 8.8.8.8,53 (*=my ip address) Other port numbers include 62071 62636 63336 63592 64409 64888 64781 While the rotuer is inheriting the dns setting that Virgin are provividng and can't be changed on the router, all the PC's behind it are set up with static IP and DNS which is currently google dns settings but I have also used open dns and had the same port scan detected log entry with the same port number. Is this normal activity? my understanding that dns was port 53, why is it scanning the high port numbers?? I have tried looking for these dns port number on google but can't find anything definative. Any thoughts? Tim -- Next meeting: Blandford Forum, Wednesday 2011-03-02 20:00 Meets, Mailing list, IRC, LinkedIn, ... http://dorset.lug.org.uk/ How to Report Bugs Effectively: http://goo.gl/4Xue