From owner-freebsd-security@FreeBSD.ORG Mon May 26 10:06:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7D4C37B404 for ; Mon, 26 May 2003 10:06:31 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id F045843F3F for ; Mon, 26 May 2003 10:06:29 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h4QH6RPW005010; Mon, 26 May 2003 21:06:27 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id K74KPG5S; Mon, 26 May 2003 21:06:27 +0400 Date: Mon, 26 May 2003 21:05:59 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <7112464012.20030526210559@internethelp.ru> To: Fernando Schapachnik In-reply-To: <20030526163255.GJ637@bal740r0.mecon.gov.ar> References: <20030526163255.GJ637@bal740r0.mecon.gov.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: sshd doing dns queries on localhost? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 17:06:32 -0000 Hello Fernando, FAQ. for example see ;------- http://www.freebsd.org/cgi/search.cgi?words=sshd+resolv.conf+privsep&max=25&sort=score&index=all&source=freebsd-security ;------- (URL can be wrapped) Monday, May 26, 2003, 8:32:55 PM, you wrote: FS> Hi, FS> I noted on my 4.7 machines that when a ssh conection is made, the FS> following PTR query happens (10.11.1.11 is the src address in the example): FS> 13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> This is very weird because resolv.conf points to another server. Also, FS> the capture is from lo0. FS> Not that I see a security problem here (just the annoyance of this FS> filling my log_in_vain logs), but I'm curious about the reason; at least didn't FS> find any clue looking at source. FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526 FS> Thanks for any pointer! FS> Regards! FS> Fernando. FS> _______________________________________________ FS> freebsd-security@freebsd.org mailing list FS> http://lists.freebsd.org/mailman/listinfo/freebsd-security FS> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru