From owner-freebsd-security Wed Apr 10 8:18:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id ED63C37B42C for ; Wed, 10 Apr 2002 08:17:49 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id TAA05765; Wed, 10 Apr 2002 19:17:34 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 2SVJTQY1; Wed, 10 Apr 2002 19:17:32 +0400 Date: Wed, 10 Apr 2002 19:17:31 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <62102913812.20020410191731@internethelp.ru> To: X Philius Cc: freebsd-security@freeBSD.ORG Subject: Re: Mysterious entries in kernel log relating to DNS In-reply-To: <20020410143646.56360.qmail@web11807.mail.yahoo.com> References: <20020410143646.56360.qmail@web11807.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello X, Wednesday, April 10, 2002, 6:36:46 PM, you wrote: XP> Security Folks, XP> I am running 4.4 Release, I have Bind 9.02 running on my box. I am XP> authoratative for a domain or two, and use my own name server for XP> resolution within my server (ie with lynx, nslookup or dig). Everything XP> seems to work fine DNS wise, I can always get resolution, and my DNS XP> setup appears to work correctly from the net at large (according to the XP> DNS tester at declude.com, and the fact that I can access the domains I XP> am authoratavie on from another ISP etc). XP> Question: XP> Periodically (a few times a week) I get these entries in the security XP> email autimagically sent by the standard scripts in periodic. Sometimes XP> there are many of them, and sometimes there are only a few or none. I XP> *am* using IPFW, however these entries are not being blocked by my last XP> rule, which I have numbered 999 (an example entry that *is* being XP> blocked by rule number 999 is also pasted below for clarity). My XP> understanding is that this log entry means that an attempt is being XP> made by localhost to access the name server on localhost, but that bind XP> is not listening or the request is malformed. I realize that this may XP> not be a question for security, but it *is* generated by the built in XP> FreeBSD security scripts, so I thought I'd start here. Thanks in XP> advance for any light you can shed on this phenom. XP> Jason >> Connection attempt to UDP 127.0.0.1:4699 from 127.0.0.1:53 >> Apr 9 03:06:02 {myservername} /kernel: Connection attempt to UDP XP> 127.0.0.1:4699 from 127.0.0.1:53 >> ipfw: 999 Deny ICMP:8.0 63.251.129.65 10.1.3.2 in via xl0 I suppose that you have enabled net.inet.udp.log_in_vain in your sysctls. This packets are not blocked by ipfw because of rule "pass all from any to any via lo0" which is normally turned on. The reason of such log entry may be this: 1) some program(P) tries to resolve `foo.bar.edu' and sends UDP request from port 4699 to port 53 2) the request takes so much time, that P stops waiting for response and exits. 3) response comes to port 4699, but there is nobody waiting for it. 4) kernel logs connection attempt. 5) ...later that evening... security check sends you email. :) I can be wrong, because I have never tried such scenario. Hope that helps ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message