[Dshield] Help: DNS (53)

Chris Brenton cbrenton at chrisbrenton.org
Fri Jan 2 10:45:00 GMT 2004

Greets dude,

On Thu, 2004-01-01 at 20:49, Alan Frayer wrote:
> Thank you for replying, Chris.

Glad to help. :)

>  The target IPs are ISP-provided public
> IPs into private networks that are connected together through VPNs.

So these are public IPs that have been assigned to VPN gateways?

> None
> of the private networks hold a DNS, and the only names they've been
> given are NetBIOS names (which I do not believe would apply here); they
> all exist within a simple NT domain.

Nope, the NetBIOS names should not play into it, although I have seen
later model Windows systems make port 53 requests from the NetBIOS
ports. Not sure what's up with that, but I don't think it applies to
what you are describing. Also, and I'm sure you've done this already,
but its always worth checking your outbound logs to verify that no one
has setup a name server on their local system. People read it may speed
up their Internet surfing so they set it up without thinking twice about
it. ;-)

> I would have to answer no to both questions, so I'm probably right in
> rejecting the 53/UDP packets.

I would agree. The other possibility is many times people will point to
an internal name server when they come in over a VPN in order to learn
the IP of internal privately addressed systems. When this happens the
source IP will be the same as the IP connecting via a VPN. Again, it
does not sound like this applies to what you are describing. 

> One thing I've not done was look to see if the source addresses resolve
> to a browsable location. I'll have to check that.

Another thing you can try is:
whois -h whois.arin.net source.ip.to.check

This will either tell you who owns the IP, or its been delegated to
RIPE, APNIC or someone else. If you get back an authority just redo your
query pointing at them:
whois -h whois.ripe.net source.ip.to.check

If you are running on a new Linux system or another platform that has
implemented the latest whois, you can get away with just doing a:
whois source.ip.to.check

and it will follow the trail for you.

> > Or.... there are fewer people at _your_ site during those times
> > generating outbound queries that are causing this possible load balancer
> > to check performance metrics back to your site.
> Certainly never occurred to me, but since I don't have a name server
> behind the IP, this isn't likely, right?

Correct. This would only apply if the IP they are targeting is a many to
one NAT address. That does not seem to apply here.


More information about the list mailing list