Turn BIND's query logging on and see what it's trying to lookup. You can do this from the shell (as root) by entering "ndc querylog". Then take a look at your log files and see exactly what it's doing. As someone pointed out, I would also guess that it's attempting to perform lookups on the IP that you're connecting from.
j. -- Jeremy L. Gaddis <[EMAIL PROTECTED]> -----Original Message----- From: Jeff Stevens [mailto:[EMAIL PROTECTED] Sent: Sunday, January 13, 2002 10:27 PM To: debian-security@lists.debian.org Subject: sshd sending packets outside lan during local connection I am using Debian Potato 2.2.19ide-pci and running openssh (3.0.2p1) and bind (version: 1:8.2.3-0.potato.1). It is also being used as a firewall for a local network. It has 2 nic cards, one with an internal ip and one with an external ip. When I ssh locally (to the internal ip)to this firewall it sends out packets to my ISP. If I unplug the "external ip" nic before entering the password then the connection pauses for about a minute before connecting. I am no expert as I have just started using Debian, but it seems like the password is being sniffed. I'm not exactly sure what the tcpdump output shows (ATTACHED with route info) but it seems to be doing a domain name look up (but I could be wrong). I have no idea why it would have to do a domain look-up because I connect via ip address (ssh [EMAIL PROTECTED]) which is inside the local network. Earlier I made the mistake of offering bind publicly. I recently changed this but I don't know if I was compromised during the time it was public. I am hoping this is just a misconfiguration problem. Any suggestions would be greatly appreciated. Thanks in advance. --Jeff Debian user _________________________________________________________________ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
