Date: Sat, 29 Jan 2000 09:46:48 -0500 (EST) From: Omachonu Ogali <oogali@intranova.net> To: Samara McCord <mccord@zytek.com> Cc: freebsd-security@freebsd.org Subject: Re: Continual DNS requests from mysterious IP Message-ID: <Pine.BSF.4.10.10001290933320.25220-100000@hydrant.intranova.net> In-Reply-To: <200001290216.SAA34537@floozy.zytek.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If you understand the tcpdump output you'll see that its a query
for the MX records of aol.com so a successful mail transfer can be
acheived. This is the normal course of events:
1) The user types the e-mail (or a program generates the e-mail)
and transfers it to the local mail daemon or the SMTP daemon.
2) The mail daemon looks at the outgoing address and requests a "what
mailserver is authoritive for this address" record from the local
resolver.
3) The local resolver forwards the request to the first available name
server specified from /etc/resolv.conf. (Line 1 of tcpdump)
4) -hidden- The other nameservers forward to the root servers and traverse
down the path of yellow brick DNS road till it gets an answer.
5) Our happy little nameserver runs back to the requesting resolver with
an answer (Line 2 of tcpdump).
Apparently, your machine is either blocking the replies, dropping them, or
not seeing them at all, causing for the retransmits of steps 3-5. Now the
normal course of events would continue like this:
6) Our local resolver flings it back to the original application that made
the res_mkquery() call, and the application handles as it wants, since
this is a name server then...
7) The mail daemon attempts a connection to the mail exchanger with
the highest preference from that domain, if that fails, go to the next
highest preference, so on and so forth.
8) The mail message is then transferred after the connection and it
returns an error or successful message to syslog or the user.
Note: Step 7 also includes resolving the mail exchanger to an IP address
before connecting to it. (But you knew that already.)
I would advise you to check your firewall rules in case you are denying
everything or not enough. :) Then if that fails, go through a general
network diagnostic test and see why those packets are being dropped.
Omachonu Ogali
Intranova Networking Group
On Fri, 28 Jan 2000, Samara McCord wrote:
> Hello,
>
> This is not an attack, but somewhat irritating. Also it's something
> that no one would normally notice. Well I was running tcpdump to check
> on something else and noticed this. About once a second I'm getting
> DNS requests for the mail relay of "aol.com". It has been going on all
> day, possibly for many days. It bugged me so I put this IP address in
> my border filter to discard all packets. Does anyone know what this is?
> Some kind of network monitoring? The IP address is not reversible
> (surprise surpise), possibly in New York. It sort of brings up the
> issue of possibly DNS inquiries should be limited to 1. domains for
> which you are authoratative, and 2. machines for which you provide
> dial-up service. Below is a sample tcpdump output (my machine
> has been xxx'd out, the other IP address is real).
>
> Sam
>
> -------
> 15:58:36.768512 212.205.50.129.28912 > xxx.xxx.xxx.domain: 15357+ MX? aol.com. (25) (DF)
> 15:58:36.770828 xxx.xxx.xxx.domain > 212.205.50.129.28912: 15357 9/2/16 MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15 (500)
> 15:58:38.444473 212.205.50.129.14970 > xxx.xxx.xxx.domain: 1832+ MX? aol.com. (25) (DF)
> 15:58:38.446895 xxx.xxx.xxx.domain > 212.205.50.129.14970: 1832 9/2/16 MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15 (500)
> 15:58:38.778631 212.205.50.129.9245 > xxx.xxx.xxx.domain: 41476+ MX? aol.com. (25) (DF)
> 15:58:38.780911 xxx.xxx.xxx.domain > 212.205.50.129.9245: 41476 9/2/16 MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15 (500)
> 15:58:38.827693 212.205.50.129.18818 > xxx.xxx.xxx.domain: 60850+ MX? aol.com. (25) (DF)
> 15:58:38.829969 xxx.xxx.xxx.domain > 212.205.50.129.18818: 60850 9/2/16 MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15 (500)
> 15:58:39.367913 212.205.50.129.7526 > xxx.xxx.xxx.domain: 56983+ MX? aol.com. (25) (DF)
> 15:58:39.370303 xxx.xxx.xxx.domain > 212.205.50.129.7526: 56983 9/2/16 MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15 (500)
> 15:58:40.419209 212.205.50.129.4028 > xxx.xxx.xxx.domain: 47022+ MX? aol.com. (25) (DF)
> 15:58:40.420800 212.205.50.129.1875 > xxx.xxx.xxx.domain: 2307+ MX? aol.com. (25) (DF)
> 15:58:40.421774 xxx.xxx.xxx.domain > 212.205.50.129.4028: 47022 9/2/16 MX yh.mx.aol.com. 15, MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15 (500)
> 15:58:40.423991 xxx.xxx.xxx.domain > 212.205.50.129.1875: 2307 9/2/16 MX za.mx.aol.com. 15, MX zb.mx.aol.com. 15, MX zc.mx.aol.com. 15, MX zd.mx.aol.com. 15, MX yb.mx.aol.com. 15, MX yc.mx.aol.com. 15, MX yd.mx.aol.com. 15, MX yg.mx.aol.com. 15, MX yh.mx.aol.com. 15 (500)
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10001290933320.25220-100000>