[Dshield] Help: DNS (53)

Alan Frayer afrayer at frayernet.com
Thu Jan 1 16:30:58 GMT 2004


On Thu, 2004-01-01 at 11:10, David Hart wrote:

> OK. Then there is no applicable (IPTables) firewall rule other than
> "Accept" DPT=53?
>  >
> > Allowing ALL incoming packets FROM udp port 53 means that ANY UDP 
> > datagram can get through your firewall, as long as the source port is 
> > 53. Probably not what you intended.
> > 
> That makes abundant sense. Presumably then, I want to limit to DPT >
> 32000 and < ???? Any suggestions?


Okay, I've been trying to follow this thread with some interest because
I've been getting hit with UDP 53 packets for the last month at one or
two of my IPs. The volume of these packets have been far exceeding my
normal noise level. There is no DNS server at these addresses, and I was
trying to figure out why these packets have been appearing. For the most
part, the source addresses have not been targeting multiple addresses,
so they slip past the Dshield Fightback rules. And they seem to slack
off during overnight or holiday hours, suggesting these are manned PCs
that get shut down at the end of a work day.

Are these packets actually harmless, and I've over-reacted to them? I
have port 53 blocked except for traffic intended specifically to our
designated external DNS servers.


________________________________________________________________________

Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 
 



More information about the list mailing list