[Dshield] UDP packets dropped from DNS server

Lijster. Mario de Mdlijster at Prioritytelecom.com
Mon Oct 29 16:12:03 GMT 2001

Jeffrey and all,

I have (had) exactly the same lines on my FW.(only source and destination address differs)
At my FW it appeared to be a time out issue.
The FW simply has erased the record of this session because it took too long to get an answer from the DNS.
And after that the FW refuses it because it looks like a "WAN initiated session attempt". (I don't know a better word for it.) Usually via a SonicWall that's rule 0. Your ISP has a slow/busy DNS.
Setting the time out longer, will increase your vulnerability. I have decided to live with it and ignore these lines in my log analysis.

Sometimes I get to see a "real one" like this one, they are easy to detect:
10/27/2001 06:06:55.320 - 	TCP connection dropped - 	Source:, 4249, WAN - 	Destination:213.93.xxx.xxx, 53, WAN - 	'Name Service (DNS)' - 	Rule 0

( is not my DNS.)

Note: and at 6:06 on saturday morning none of the PC's on the LAN where ON or had been on for at least 6 hours! 

-----Original Message-----
From: Jeffrey Pike [mailto:jpike at gpl.org]
Sent: Saturday, October 27, 2001 3:37 PM
To: dshield at dshield.org
Subject: [Dshield] UDP packets dropped from DNS server

I'm relatively new to these issues, so forgive me if my
questions have obvious answers. I have many lines like
this in my firewall logs:

10/23/2001 17:23:21.352 - UDP packet dropped -
Source:, 53, WAN -
Destination:, 9318, LAN -
 	 - 	Rule 0

The source address is my ISP's DNS server. The destination
address is the firewall. Anything to worry about? What is

Jeffrey Pike
Technical Services Librarian
Groton Public Library
Groton, MA
jpike at gpl.org

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

More information about the list mailing list