Explanation of DNS requests
Posted on 2006-06-24
I've had a problem with intermittent DNS through my ISP for some time. I'm running my own DNS servers, which are nat'd behind a PIX 501 firewall along with the rest of my LAN. Both servers have external IP addresses with static routes + access rules defined in the PIX. At first I blamed my RHES server, which would lose DNS resolution where my Debian server did not, however as the primary server for the primary domain it would seem natural that the Redhat machine would get more requests than the Debian machine. I have put the Redhat server outside the PIX and had no problem with DNS resolution, however the test period was brief, since I'm not running iptables on that machine. At one point recently I lost DNS simultaneously on both servers (during these times I do not lose comms - I can ping external IP addresses from either server). I decided to change the PIX log level to warning, and a pattern has emerged, which I copy below.
PIX inside interface: 192.168.0.1
PIX outside interface: 188.8.131.52
spn: some port number, which appears to be random, such as 1217, 1220, 1392, 1401, 159, 179, 1, 36, 11, 1032, 14, 22, 34, etc.
Jun 21 14:48:15 192.168.0.1 Jun 22 2006 13:24:40 pix : %PIX-4-106023: Deny udp src outside:184.108.40.206/53 dst inside:220.127.116.11/spn by access-group "acl_out"
Jun 22 15:47:10 192.168.0.1 Jun 22 2006 14:23:36 pix : %PIX-4-106023: Deny udp src outside:18.104.22.168/53 dst inside:22.214.171.124/spn by access-group "acl_out"
Jun 23 16:33:01 192.168.0.1 Jun 22 2006 15:09:26 pix : %PIX-4-106023: Deny udp src outside:126.96.36.199/53 dst inside:188.8.131.52/spn by access-group "acl_out"
Jun 24 17:43:02 192.168.0.1 Jun 22 2006 15:09:28 pix : %PIX-4-106023: Deny udp src outside:184.108.40.206/53 dst inside:220.127.116.11/spn by access-group "acl_out"
These DNS requests are blocked because I'm nat'd - as I understand it, DNS requests are supposed to be answered by Network Solutions where I'm registered. So the PIX is probably not the culprit, but I was wondering why the frequent requests (about 25 per day) for DNS on such a wide range of destination ports. I looked up the two requesting IPs and one belongs to UUNET, the other to NTT America (most of the requests originate from UUNET).