[Dshield] DNS Question

Stephane Grobety security at admin.fulgan.com
Thu Sep 25 16:38:31 GMT 2003


BS> Does anyone know why I'd be getting UDP Packets from my ISP's DNS Servers
BS> from port 53 to port 1031?

The most obvious answer is that this is the result of DNS queries made
by your internal machines. As the target port shown is in the dynamic
port range, it is pretty likely.

Make sure you don't have a rogue client that goes directly to your ISP
DNS server instead of talking to your internal DNS. If you don't have
an internal DNS server or is your internal dns server uses UDP to
delegate it's queries, then you'll have to make a rule to accept all
packet coming from port 53 to port 53 and to high ports, with the
soirce of your ISP's DNS server to get to all the clients that will
potentially need to resolve. The downside of this is that anyone
spoofing your DNS server will then be able to send packets to any high
ports of the target machines, making then prime target for a DNS spoof
attack (most client DNS resolvers are pretty dumb).

Good luck,
Stephane




More information about the list mailing list