Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 +0000 -> webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 +0000
Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: > > On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: > >> On 5/31/2011 2:38 PM, Supersonic wrote: >>> I have a BIND 9.8.0-P2 server instance running on a production server. >> >> Doing what, exactly? Resolving internal names only? Resolving Internet >> names? Acting as an authoritative server for internal clients? Internet >> clients? Some combination of the above? >> >>> My firewall is showing repeated attempts by named.exe to connect to IP >>> addresses in foreign countries on ports 6666, 6667 and 6669 - common IRC >>> ports used by worms/trojans/zombies. Checking my named.exe file, it shows >>> that it is unchanged from the installation source. Is this connection >>> normal? Should I be allowing it? >>> >> TCP connections or UDP packets? >> >> If you're serving authoritative data to Internet clients, then my guess is >> your firewall simply isn't "stateful" enough to realize that these are >> responses to DNS queries that originally came in from Internet clients using >> those port numbers. Just because they are "common IRC ports used by >> worms/trojans/zombies" doesn't preclude them from also being chosen at >> random as the source ports of incoming queries to your nameserver. Responses >> go back to the same port from which the query was received. > > > Can you make a distribution of ports and see if it contacts other port > numbers with approximately the same frequency? I'm guessing this is just the > FW / IDS being "helpful".... > > W > >> >> If they're outgoing TCP connections, I'd be worried. Offhand, I can't think >> of any legitimate reason why named would be trying to TCP-connect to any >> port other than 53. >> >> >> - >> Kevin >> >> >> _______________________________________________ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
