[Dshield] UDP packets dropped from DNS server
Lijster. Mario de
Mdlijster at Prioritytelecom.com
Mon Oct 29 16:12:03 GMT 2001
Jeffrey and all,
I have (had) exactly the same lines on my FW.(only source and destination address differs)
At my FW it appeared to be a time out issue.
The FW simply has erased the record of this session because it took too long to get an answer from the DNS.
And after that the FW refuses it because it looks like a "WAN initiated session attempt". (I don't know a better word for it.) Usually via a SonicWall that's rule 0. Your ISP has a slow/busy DNS.
Setting the time out longer, will increase your vulnerability. I have decided to live with it and ignore these lines in my log analysis.
Sometimes I get to see a "real one" like this one, they are easy to detect:
10/27/2001 06:06:55.320 - TCP connection dropped - Source:184.108.40.206, 4249, WAN - Destination:213.93.xxx.xxx, 53, WAN - 'Name Service (DNS)' - Rule 0
(220.127.116.11 is not my DNS.)
Note: and at 6:06 on saturday morning none of the PC's on the LAN where ON or had been on for at least 6 hours!
From: Jeffrey Pike [mailto:jpike at gpl.org]
Sent: Saturday, October 27, 2001 3:37 PM
To: dshield at dshield.org
Subject: [Dshield] UDP packets dropped from DNS server
I'm relatively new to these issues, so forgive me if my
questions have obvious answers. I have many lines like
this in my firewall logs:
10/23/2001 17:23:21.352 - UDP packet dropped -
Source:18.104.22.168, 53, WAN -
Destination:22.214.171.124, 9318, LAN -
- Rule 0
The source address is my ISP's DNS server. The destination
address is the firewall. Anything to worry about? What is
Technical Services Librarian
Groton Public Library
jpike at gpl.org
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
More information about the list