|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Interesting DNS Traffic
Ryan Russell (Ryan.Russell
sybase.com)
Tue, 1 Jun 1999 13:09:10 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Vern Paxson: "Re: Interesting DNS Traffic"
- Previous message: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Next in thread: David Gillett: "Re: Interesting DNS Traffic"
- Reply: David Gillett: "Re: Interesting DNS Traffic"
>However, I see DNS requests and WWW requests come in where the souce
>port on the packet originates in the 800 range rather than the
>standard 1024-65535 range. Therefore the reply back is denied.
>
>Example.
>
>xxx.xxx.xxx.xxx (879) --> 204.253.83.10 (53)
>
>meaning a packet came in from the internet going to my DNS, however
>the source port of the packet was 879.
This means someone has an internal DNS server behind a Firewall-1
that is doing hide NAT, and you've borken his ability to do DNS lookups
to your site.
My opinion is that trying to derive any kind of security posture from
source ports of machines you don't control is pointless.
On the other hand, you aren't the only one to break FW-1 sites
this way, so they'll eventually learn and change their DNS
server to a static translation, and you'll see the traffic
with a source port of 53.
Ryan
- Next message: Vern Paxson: "Re: Interesting DNS Traffic"
- Previous message: Ge' Weijers: "Re: Firewall comparison in Data Communications"
- Next in thread: David Gillett: "Re: Interesting DNS Traffic"
- Reply: David Gillett: "Re: Interesting DNS Traffic"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT