Solved

Explanation of DNS requests

Posted on 2006-06-24
3
273 Views
Last Modified: 2010-03-18
I've had a problem with intermittent DNS through my ISP for some time.  I'm running my own DNS servers, which are nat'd behind a PIX 501 firewall along with the rest of my LAN.  Both servers have external IP addresses with static routes + access rules defined in the PIX.  At first I blamed my RHES server, which would lose DNS resolution where my Debian server did not, however as the primary server for the primary domain it would seem natural that the Redhat machine would get more requests than the Debian machine.  I have put the Redhat server outside the PIX and had no problem with DNS resolution, however the test period was brief, since I'm not running iptables on that machine.  At one point recently I lost DNS simultaneously on both servers (during these times I do not lose comms - I can ping external IP addresses from either server).   I decided to change the PIX log level to warning, and a pattern has emerged, which I copy below.
Explanatory notes:  
PIX inside interface: 192.168.0.1
PIX outside interface: 1.2.3.4
spn:  some port number, which appears to be random, such as 1217, 1220, 1392, 1401, 159, 179, 1, 36, 11, 1032, 14, 22, 34, etc.  

Jun 21 14:48:15 192.168.0.1 Jun 22 2006 13:24:40 pix : %PIX-4-106023: Deny udp src outside:65.216.72.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 22 15:47:10 192.168.0.1 Jun 22 2006 14:23:36 pix : %PIX-4-106023: Deny udp src outside:65.216.72.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 23 16:33:01 192.168.0.1 Jun 22 2006 15:09:26 pix : %PIX-4-106023: Deny udp src outside:204.0.99.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 24 17:43:02 192.168.0.1 Jun 22 2006 15:09:28 pix : %PIX-4-106023: Deny udp src outside:204.0.99.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

These DNS requests are blocked because I'm nat'd - as I understand it, DNS requests are supposed to be answered by Network Solutions where I'm registered.  So the PIX is probably not the culprit, but I was wondering why the frequent requests (about 25 per day) for DNS on such a wide range of destination ports.  I looked up the two requesting IPs and one belongs to UUNET, the other to NTT America (most of the requests originate from UUNET).


0
Comment
Question by:klukac
  • 2
3 Comments
 

Author Comment

by:klukac
ID: 16977346
Pls ignore the inconsistencies in the 2d date set (all 22 Jun) - I was trying to show a representative sample from the pix log file but obviously didn't finish my edit :(
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 16977941
sounds like your PIX does not allow outdoing UDP with destination port 53 (DNS)
0
 

Author Comment

by:klukac
ID: 16979181
what was I thinking...thanks :)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now