Security Incidents mailing list archives
RE: DNS servers outbound connections.
From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Tue, 1 Oct 2002 10:06:04 -0500
There's no such thing as a UDP "connection" really. Are you sure these aren't DNS replies to requests made by these remote hosts? Frequently if a host tries to perform DNS resolution, it may end up querying more than one server in an attempt to get a response. If it gets a response from one, it may tear down the UDP socket even though more than one server was queried. If there are any other replies that get delivered afterward, they may get an ICMP Unreachable message generated when they arrive. This may make it seem like the DNS server is trying to send packets somewhere they shouldn't be going. If these are web servers, perhaps they have DNS resolution turned on in their logging and you have a user on your network making HTTP requests against these servers. Just some thoughts.. David From: Philip Bartholomew [mailto:Philip.Bartholomew () cms co uk]
I wonder If any of you fine fellows can help. My 2 Nameservers are making a number of UDP connections "10-20 a minute" originating on port 53 to alternating dest ports e.g.: 1113, 56008, 54002 tries about ten
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: DNS servers outbound connections. NESTING, DAVID M (SBCSI) (Oct 01)
- <Possible follow-ups>
- RE: DNS servers outbound connections. Philip Bartholomew (Oct 02)