Re: Interesting DNS Traffic

Robert Graham (robert_david_grahamyahoo.com)
Mon, 31 May 1999 15:38:36 -0700 (PDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Kevin T. Shivers: "Re: Gauntlet firewalls & BSDI"
• Previous message: Matt Curtin: "Re: Firewall comparison in Data Communications"
• Next in thread: Joseph S D Yao: "Re: Interesting DNS Traffic"
• Reply: Joseph S D Yao: "Re: Interesting DNS Traffic"

--- Andrew Fessler <andrewallegro.net> wrote:
> However, I see DNS requests and WWW requests come in where the souce
> port on the packet originates in the 800 range rather than the
> standard 1024-65535 range. Therefore the reply back is denied.

The DNS traffic from low ports is somewhat normal, from my own
experience. I see LOTs of DNS traffic coming from ports lower than 1024
from machines browsing our website. Here are some example ports:

904 859 610 705 826 608 673 285 810 739 684 1 ???? 432 954 etc.

A lot of these are coming from machines that are themselves proxy
servers and firewalls, which I infer from the reverse DNS lookups (the
names usually contain "fw" or "proxy"). One of them had the name
"fw1.etc.etc.", so this may be some "feature" of Checkpoint.

Rob.

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

• Next message: Kevin T. Shivers: "Re: Gauntlet firewalls & BSDI"
• Previous message: Matt Curtin: "Re: Firewall comparison in Data Communications"
• Next in thread: Joseph S D Yao: "Re: Interesting DNS Traffic"
• Reply: Joseph S D Yao: "Re: Interesting DNS Traffic"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT