Router is doing DNS all on it's own....

[Don Kendrick <don () netspys com>]

Greetings all,

Got a strange problem I want to run by you...

1. Cisco router stilling at the edge.

1. Have a couple of offsite dns servers listed in the Cisco config as name 
servers.

3. Have a strong inbound access list on it which, among many other things, 
denies tcp/udp dns to the router (ie, any replies to dns queries from the 
router should be blocked).

4. Have syslog set to a syslog server off -box.

I use the above as one of my poor man's ids for that router. If someone 
gets on it, doesn't look thru the access list closely and tries anything 
that kicks off a dns query, i'm paged.

Well, this little guy has been quiet for many years except when I would 
occasionally forget and trip over it myself.

Now twice in the last week, I've gotten the pages. No one is on the router 
that I can find, I've changed the passwords after the 1st time, nothing 
looks out of place, all other alerting is fine, no one has messed with the 
configs (unless they know how to alter the "last modified" that Cisco keeps...

Any ideas?

Don

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards