Firewall Wizards mailing list archives
Re: Interesting DNS Traffic
From: "Andrew Fessler" <andrew () allegro net>
Date: Tue, 01 Jun 1999 09:19:20 -0500
Unless I am being ignorant, doesnt this NOT comply with the RFC that have to deal with return port numbers on all ip packets? Andrew
Robert Graham <robert_david_graham () yahoo com> 5/31/99 6:38:36 PM
--- Andrew Fessler <andrew () allegro net> wrote:
However, I see DNS requests and WWW requests come in where the
souce
port on the packet originates in the 800 range rather than the standard 1024-65535 range. Therefore the reply back is denied.
The DNS traffic from low ports is somewhat normal, from my own experience. I see LOTs of DNS traffic coming from ports lower than 1024 from machines browsing our website. Here are some example ports: 904 859 610 705 826 608 673 285 810 739 684 1 ???? 432 954 etc. A lot of these are coming from machines that are themselves proxy servers and firewalls, which I infer from the reverse DNS lookups (the names usually contain "fw" or "proxy"). One of them had the name "fw1.etc.etc.", so this may be some "feature" of Checkpoint. Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)