Firewall Wizards mailing list archives

Re: Interesting DNS Traffic

From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 31 May 1999 15:38:36 -0700 (PDT)

--- Andrew Fessler <andrew () allegro net> wrote:

However, I see DNS  requests and WWW requests come in where the souce
port on the packet originates in the 800 range rather than the
standard 1024-65535 range. Therefore the reply back is denied.


The DNS traffic from low ports is somewhat normal, from my own
experience. I see LOTs of DNS traffic coming from ports lower than 1024
from machines browsing our website. Here are some example ports:

904 859 610 705 826 608 673 285 810 739 684 1 ???? 432 954 etc.

A lot of these are coming from machines that are themselves proxy
servers and firewalls, which I infer from the reverse DNS lookups (the
names usually contain "fw" or "proxy"). One of them had the name
"fw1.etc.etc.", so this may be some "feature" of Checkpoint.

Rob.






_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
  - Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
  - Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
  - Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
  - Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)

(Thread continues...)