Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 02 Feb 2000 00:48:14 -0800
From:      Joe Bo <ibjoe@home.com>
To:        freebsd-questions@FreeBSD.ORG
Cc:        ibjoe@home.com
Subject:   why are they hitting my DNS?
Message-ID:  <4.2.0.58.20000202000447.009ac280@mail>
next in thread | raw e-mail | index | archive | help 

Hi,

I have a fairly typical (?) setup with a FreeBSD v3.2 server being the 
gateway and firewall of a private net of Windows PCs, using natd, two 
network cards, one public ip and a private ip network. I just say ip 
instead of ip address, but you know.. ;-)

in /etc/namedb/named.conf I have:
         forwarders {
                 <upstream_DNS_1_ip>; <upstream_DNS_2_ip>;
         };
everything else is pretty much commented out

in /etc/namedb/localhost.rev is
@       IN      SOA     <my_host_name>. root.<my_host_name>.  (
                                 19990924        ; Serial
                                 3600    ; Refresh
                                 900     ; Retry
                                 3600000 ; Expire
                                 3600 )  ; Minimum
         IN      NS      <my_host_name>.
1       IN      PTR     localhost.<my_host_name>.
(this was an autogenerated file).

/etc/resolv.conf has
    nameserver      127.0.0.1

/etc/rc. has
   named_enable="YES"  # Run named, the DNS server (or NO).

and ipfw shows

allow udp from <upstream_DNS_1_ip> 53 to <my_host_public_ip>
allow udp from <upstream_DNS_2_ip> 53 to <my_host_public_ip>
allow udp from <my_host_public_ip> to any 53
allow udp from any to <my_host_private_ip> 53 in recv ed0
allow udp from <my_host_private_ip> 53 to any out xmit ed0
where ed0 is my private net ethernet card
and <my_host_private_ip> is the ip associated with that card.
All the PCs only know <my_host_private_ip>, they don't know or use the 
<my_host_public_ip> or <upstream_DNS_ip>. Anything not specifically allowed 
is denied.

Anyway, all this works really well. Except, I log all failed accesses and 
every once in a while I get an awful lot of hits on my public ip port 53. 
They seem to come in batches every 10 minutes or so, with lots of different 
ip s. This doesn't happen every day, just on occasion. I would like to 
know, is this some kind of probe, or is it possible that I am inviting this 
access because I don't have my DNS set up correctly and I'm advertising or 
something?

Thank you to anyone who can provide any insight,

Joe


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000202000447.009ac280>