Re: Interesting DNS Traffic

[The Unicorn <unicorn () blackhats org>]

On Fri, May 28, 1999 at 09:49:29PM -0500, Andrew Fessler wrote:
> I have seen some unusual things on my Cisco.
>
> I have some access-lists setup.
>
> I permit, SMTP, WWW, POP, IMAP, ECHO,ICMP and a few other ports as
> well as 1024-65535 for inbound. 
>
> That theroetically should cover any inbound traffic.
>
> However, I see DNS  requests and WWW requests come in where the souce
> port on the packet originates in the 800 range rather than the
> standard 1024-65535 range. Therefore the reply back is denied.
>
> Example.
>
> xxx.xxx.xxx.xxx (879) -->   204.253.83.10 (53)
>
> meaning a packet came in from the internet going to my DNS, however
> the source port of the packet was 879. 
>
> I cant find any reason why they are having abnormal source ports,
> should I worry about this? Should I open the 800 range ports? Seems
> like opening my network more than I want to.

Could it be  that the site asking  for DNS info is  using (heavily used)
Windows  boxen? I  have seen  similar requests  (originating from  a low
order port) coming form Windows systems... Seems to be an implementation
"feature" from Micr$oft.

> TIA
> Andrew Fessler
> Allegro
---end quoted text---

Ciao,
Unicorn.
-- 
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays   PGP: 64 07 5D 4C 3F 81 22 73
    ;; //  `--;     Leapfrog With A Unicorn...        52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======