In message <1364140396.42023.yahoomail...@web190806.mail.sg3.yahoo.com>, babu d heen writes: > > Dear, > > We have Caching DNS server and certain PTR record(reverse entry > verification purpose) only is allowed from internet. But I am observing > suspicious DNS traffic from my BIND caching DNS server towards > 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address on > destination port 1033,1090,1743, etc. Since we haven't allowed non > standard port from our DNS server to public DNS server, its dropped in > firewall. > > Any idea as to why our company DNS server is contacting external IP on > non standard port?
It's contacting it on port 53. You are allowing the query out but denying the response. > Below is the logs taken from DNS server on one of the destination IP > address. > ########################################################################## > ## > > > client 67.215.80.15#58230: view localhost_resolver: query (cache) > '109.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.215.80.15#18395: view localhost_resolver: query (cache) > '86.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.215.80.15#34068: view localhost_resolver: query (cache) > '114.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.227.239.85#20915: view localhost_resolver: query (cache) > '150.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.227.239.85#64724: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > client 67.227.239.85#16374: view localhost_resolver: query (cache) > '150.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.227.239.85#30391: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > client 67.227.239.85#17745: view localhost_resolver: query (cache) > '150.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.227.239.85#36163: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > client 67.227.239.85#6391: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > client 67.227.239.85#37586: view localhost_resolver: query (cache) > '150.232.12.217.in-addr.arpa/PTR/IN' denied > client 67.227.239.85#55208: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > client 67.227.239.85#40076: view localhost_resolver: query (cache) > '232.12.217.in-addr.arpa/NS/IN' denied > > Below is the firewall logs: > ######################### > action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip > dst=67.215.80.15 src_port=53 dst_port=16529 > action=Permit sent=0 rcvd=0 src=67.215.80.15 > dst=our_company_DNS_server_ip src_port=52370 dst_port=53 > > > Regards > Babu > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
