• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 285
  • Last Modified:

Explanation of DNS requests

I've had a problem with intermittent DNS through my ISP for some time.  I'm running my own DNS servers, which are nat'd behind a PIX 501 firewall along with the rest of my LAN.  Both servers have external IP addresses with static routes + access rules defined in the PIX.  At first I blamed my RHES server, which would lose DNS resolution where my Debian server did not, however as the primary server for the primary domain it would seem natural that the Redhat machine would get more requests than the Debian machine.  I have put the Redhat server outside the PIX and had no problem with DNS resolution, however the test period was brief, since I'm not running iptables on that machine.  At one point recently I lost DNS simultaneously on both servers (during these times I do not lose comms - I can ping external IP addresses from either server).   I decided to change the PIX log level to warning, and a pattern has emerged, which I copy below.
Explanatory notes:  
PIX inside interface: 192.168.0.1
PIX outside interface: 1.2.3.4
spn:  some port number, which appears to be random, such as 1217, 1220, 1392, 1401, 159, 179, 1, 36, 11, 1032, 14, 22, 34, etc.  

Jun 21 14:48:15 192.168.0.1 Jun 22 2006 13:24:40 pix : %PIX-4-106023: Deny udp src outside:65.216.72.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 22 15:47:10 192.168.0.1 Jun 22 2006 14:23:36 pix : %PIX-4-106023: Deny udp src outside:65.216.72.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 23 16:33:01 192.168.0.1 Jun 22 2006 15:09:26 pix : %PIX-4-106023: Deny udp src outside:204.0.99.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

Jun 24 17:43:02 192.168.0.1 Jun 22 2006 15:09:28 pix : %PIX-4-106023: Deny udp src outside:204.0.99.15/53 dst inside:1.2.3.4/spn by access-group "acl_out"

These DNS requests are blocked because I'm nat'd - as I understand it, DNS requests are supposed to be answered by Network Solutions where I'm registered.  So the PIX is probably not the culprit, but I was wondering why the frequent requests (about 25 per day) for DNS on such a wide range of destination ports.  I looked up the two requesting IPs and one belongs to UUNET, the other to NTT America (most of the requests originate from UUNET).


0
klukac
Asked:
klukac
  • 2
1 Solution
 
klukacAuthor Commented:
Pls ignore the inconsistencies in the 2d date set (all 22 Jun) - I was trying to show a representative sample from the pix log file but obviously didn't finish my edit :(
0
 
ahoffmannCommented:
sounds like your PIX does not allow outdoing UDP with destination port 53 (DNS)
0
 
klukacAuthor Commented:
what was I thinking...thanks :)
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now