Firewall Wizards mailing list archives
Re: Interesting DNS Traffic
From: davidg () genmagic com (David Gillett)
Date: Thu, 3 Jun 1999 11:49:40 -0700
On 1 Jun 99, at 13:09, Ryan Russell wrote:
However, I see DNS requests and WWW requests come in where the souce port on the packet originates in the 800 range rather than the standard 1024-65535 range. Therefore the reply back is denied. Example. xxx.xxx.xxx.xxx (879) --> 204.253.83.10 (53) meaning a packet came in from the internet going to my DNS, however the source port of the packet was 879.This means someone has an internal DNS server behind a Firewall-1 that is doing hide NAT, and you've borken his ability to do DNS lookups to your site. My opinion is that trying to derive any kind of security posture from source ports of machines you don't control is pointless.
While we don't (yet) block on it, I log a security alert if the source port is 0 or 65535. In a couple of instances, it has been obvious that the latter was showing up on "attack" packets, where the sender was clearly not waiting for a reply and three-way handshake process. Unfortunately, this value also occasionally shows up in legitimate traffic. David G
Current thread:
- Re: Interesting DNS Traffic The Unicorn (Jun 01)
- <Possible follow-ups>
- Re: Interesting DNS Traffic Robert Graham (Jun 01)
- Re: Interesting DNS Traffic Joseph S D Yao (Jun 02)
- Re: Interesting DNS Traffic Andrew Fessler (Jun 01)
- Re: Interesting DNS Traffic Ryan Russell (Jun 02)
- Re: Interesting DNS Traffic David Gillett (Jun 03)
- Re: Interesting DNS Traffic Vern Paxson (Jun 02)
- Re: Interesting DNS Traffic -Reply Einar EINARSSON (Jun 02)
- Re: Interesting DNS Traffic -Reply Ge' Weijers (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Einar EINARSSON (Jun 03)
- Re: Interesting DNS Traffic -Reply -Reply Ge' Weijers (Jun 04)
- Re: Interesting DNS Traffic -Reply John McDermott (Jun 03)
- Re: Interesting DNS Traffic -Reply Chris Calabrese (Jun 03)