Good explanation of Service Discovery: http://www.dns-sd.org/
Also, Bonjour is a big offender: http://en.wikipedia.org/wiki/Bonjour_%28software%29 A lot of Apple apps use it like itunes. -----Original Message----- From: bind-users-bounces+john.manson=mail.house....@lists.isc.org [mailto:bind-users-bounces+john.manson=mail.house....@lists.isc.org] On Behalf Of bind-users-requ...@lists.isc.org Sent: Thursday, August 23, 2012 8:00 AM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 1292, Issue 1 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. Question about connections to BIND and tcp 443 (Moore, Mark A.) 2. Re: Question about connections to BIND and tcp 443 (SM) 3. Re: Question about connections to BIND and tcp 443 (Adam Tkac) 4. Re: Question about connections to BIND and tcp 443 (Jan-Piet Mens) 5. What can cause excessive amount of _dns-sd queries? (Eivind Olsen) 6. Re: What can cause excessive amount of _dns-sd queries? (Torsten Segner) ---------------------------------------------------------------------- Message: 1 Date: Wed, 22 Aug 2012 08:38:18 -0600 From: "Moore, Mark A." <mmo...@osmre.gov> To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Question about connections to BIND and tcp 443 Message-ID: <600147d5023cd8459b2a5d2861ccf9ee42c88fb...@iesdenrexmb05.eis.doi.net> Content-Type: text/plain; charset="us-ascii" Good afternoon. We are currently running BIND on our RHEL 5.x servers and see connection attempts from our internal clients to the BIND on tcp 443. They are currently being block from connecting to 443 since these servers are only DNS. Is there any reason for clients to connect to tcp 443 for any type of DNS resolution? Just want to confirm before I dig deeper into this issue. Thx in advance for any assistance provided. Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120822/179af608/attachment-0001.html> ------------------------------ Message: 2 Date: Wed, 22 Aug 2012 08:06:15 -0700 From: SM <s...@resistor.net> To: "Moore, Mark A." <mmo...@osmre.gov> Cc: bind-users@lists.isc.org Subject: Re: Question about connections to BIND and tcp 443 Message-ID: <6.2.5.6.2.20120822080430.09244...@resistor.net> Content-Type: text/plain; charset="us-ascii"; format=flowed At 07:38 22-08-2012, Moore, Mark A. wrote: >from connecting to 443 since these servers are only DNS. Is there >any reason for clients to connect to tcp 443 for any type of DNS >resolution? Just want to confirm before I dig deeper into this issue. No. Regards, -sm ------------------------------ Message: 3 Date: Wed, 22 Aug 2012 11:31:51 -0400 From: Adam Tkac <at...@redhat.com> To: "Moore, Mark A." <mmo...@osmre.gov> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: Question about connections to BIND and tcp 443 Message-ID: <20120822153150.ga21...@redhat.com> Content-Type: text/plain; charset=us-ascii On Wed, Aug 22, 2012 at 08:38:18AM -0600, Moore, Mark A. wrote: > Good afternoon. We are currently running BIND on our RHEL 5.x servers and see > connection attempts from our internal clients to the BIND on tcp 443. They > are currently being block from connecting to 443 since these servers are only > DNS. Is there any reason for clients to connect to tcp 443 for any type of > DNS resolution? Just want to confirm before I dig deeper into this issue. > > Thx in advance for any assistance provided. > > Mark If some of your clients use dnssec-trigger for DNSSEC setup (http://www.nlnetlabs.nl/projects/dnssec-trigger), it can probe your server for "DNS-over-SSL". Check dnssec-trigger overview, section "How does it work" for more details. Note this doesn't mean you should allow connections to port 443. Regards, Adam -- Adam Tkac, Red Hat, Inc. ------------------------------ Message: 4 Date: Wed, 22 Aug 2012 19:27:23 +0200 From: Jan-Piet Mens <jpmens....@gmail.com> To: bind-users@lists.isc.org Subject: Re: Question about connections to BIND and tcp 443 Message-ID: <20120822172723.ga81...@jmbp.ww.mens.de> Content-Type: text/plain; charset=us-ascii > They are currently being block from connecting to 443 since these > servers are only DNS. Is there any reason for clients to connect to > tcp 443 for any type of DNS resolution? Sounds a bit as though your clients think the BIND box is a HTTP origin server... I'd look into what programs they're running and how those are configured. Other than that, no: there is no reason for a typical DNS client to attempt TCP/443 unless your clients are running dnssec-trigger [1] -JP [1] http://www.nlnetlabs.nl/projects/dnssec-trigger/ ------------------------------ Message: 5 Date: Thu, 23 Aug 2012 13:43:32 +0200 From: "Eivind Olsen" <eiv...@aminor.no> To: bind-users@lists.isc.org Subject: What can cause excessive amount of _dns-sd queries? Message-ID: <f1b6bb7cae5eb19a9c6014f2898661e7.squir...@webmail.aminor.no> Content-Type: text/plain;charset=iso-8859-1 Hello. I haven't seen this before.. I'm currently seeing someone (1 ip address) do about 2.1 million queries / hour where a majority of the queries seem to be: b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + talk.l.google.com IN A + gmail-pop.l.google.com IN A + gmail-imap.l.google.com IN A + ...and similar variations of these. Have any of you seen something like this before? Regards Eivind Olsen ------------------------------ Message: 6 Date: Thu, 23 Aug 2012 13:58:57 +0200 From: Torsten Segner <tors...@segner.eu> To: bind-users@lists.isc.org Subject: Re: What can cause excessive amount of _dns-sd queries? Message-ID: <20120823135857.5f1cc...@hp-tsegner.adoffice.local.de.easynet.net> Content-Type: text/plain; charset=US-ASCII Am Thu, 23 Aug 2012 13:43:32 +0200 schrieb "Eivind Olsen" <eiv...@aminor.no>: > Hello. > > I haven't seen this before.. I'm currently seeing someone (1 ip address) > do about 2.1 million queries / hour where a majority of the queries seem > to be: > > b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + > db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + > r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + > talk.l.google.com IN A + > gmail-pop.l.google.com IN A + > gmail-imap.l.google.com IN A + > > ...and similar variations of these. > > Have any of you seen something like this before? > Hi Eivind, these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers. http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt Ciao Torsten ------------------------------ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1292, Issue 1 ******************************************* _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
