Date: Wed, 10 Apr 2002 19:17:31 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: X Philius <xphilius@yahoo.com> Cc: freebsd-security@freeBSD.ORG Subject: Re: Mysterious entries in kernel log relating to DNS Message-ID: <62102913812.20020410191731@internethelp.ru> In-Reply-To: <20020410143646.56360.qmail@web11807.mail.yahoo.com> References: <20020410143646.56360.qmail@web11807.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello X,
Wednesday, April 10, 2002, 6:36:46 PM, you wrote:
XP> Security Folks,
XP> I am running 4.4 Release, I have Bind 9.02 running on my box. I am
XP> authoratative for a domain or two, and use my own name server for
XP> resolution within my server (ie with lynx, nslookup or dig). Everything
XP> seems to work fine DNS wise, I can always get resolution, and my DNS
XP> setup appears to work correctly from the net at large (according to the
XP> DNS tester at declude.com, and the fact that I can access the domains I
XP> am authoratavie on from another ISP etc).
XP> Question:
XP> Periodically (a few times a week) I get these entries in the security
XP> email autimagically sent by the standard scripts in periodic. Sometimes
XP> there are many of them, and sometimes there are only a few or none. I
XP> *am* using IPFW, however these entries are not being blocked by my last
XP> rule, which I have numbered 999 (an example entry that *is* being
XP> blocked by rule number 999 is also pasted below for clarity). My
XP> understanding is that this log entry means that an attempt is being
XP> made by localhost to access the name server on localhost, but that bind
XP> is not listening or the request is malformed. I realize that this may
XP> not be a question for security, but it *is* generated by the built in
XP> FreeBSD security scripts, so I thought I'd start here. Thanks in
XP> advance for any light you can shed on this phenom.
XP> Jason
>> Connection attempt to UDP 127.0.0.1:4699 from 127.0.0.1:53
>> Apr 9 03:06:02 {myservername} /kernel: Connection attempt to UDP
XP> 127.0.0.1:4699 from 127.0.0.1:53
>> ipfw: 999 Deny ICMP:8.0 63.251.129.65 10.1.3.2 in via xl0
I suppose that you have enabled net.inet.udp.log_in_vain in your
sysctls.
This packets are not blocked by ipfw because of rule "pass all from
any to any via lo0" which is normally turned on.
The reason of such log entry may be this:
1) some program(P) tries to resolve `foo.bar.edu' and sends UDP
request from port 4699 to port 53
2) the request takes so much time, that P stops waiting for response
and exits.
3) response comes to port 4699, but there is nobody waiting for it.
4) kernel logs connection attempt.
5) ...later that evening... security check sends you email. :)
I can be wrong, because I have never tried such scenario.
Hope that helps
;-------------------------------------------
; NKritsky
; mailto:nkritsky@internethelp.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62102913812.20020410191731>