HPE Community
Operating System - HP-UX
1834150 Members
2823 Online
110064 Solutions
New Discussion

Re: Firewall Entries

 
Susan Dietz
Occasional Advisor

‎09-09-2003 01:00 PM

‎09-09-2003 01:00 PM

Firewall Entries

Can anyone help me with these log entries from our PIX firewall log? These entries that look strange to me. Adminhp is our DNS server running HP-UX 10.20
-----------------------------------------
UDP out 216.73.87.242:58634 in adminhp:58634 idle 0:00:00 flags D
UDP out 63.218.7.158:58633 in adminhp:58633 idle 0:00:00 flags D
UDP out 68.23.120.202:58922 in adminhp:58922 idle 0:00:42 flags D
UDP out 65.54.248.222:58835 in adminhp:58835 idle 0:02:29 flags D
UDP out 65.54.248.222:58834 in adminhp:58834 idle 0:02:29 flags D
UDP out 68.23.120.201:58922 in adminhp:58922 idle 0:00:27 flags D

UDP out 209.173.60.65:58849 in adminhp:58849 idle 0:02:19 flags D
UDP out 209.173.60.65:58847 in adminhp:58847 idle 0:02:20 flags D
UDP out 209.173.60.65:58843 in adminhp:58843 idle 0:02:21 flags D
UDP out 64.74.96.225:58988 in adminhp:58988 idle 0:00:46 flags D

Thanks....Susan
0 Kudos
Reply
4 REPLIES 4
Mark Cooper
Occasional Advisor

‎09-11-2003 11:20 AM

‎09-11-2003 11:20 AM

Re: Firewall Entries

Hi Susan,

I am NOT a CISCO expert!

To start with, the entries do not look like normal PIX syslog messages, unless you have ommitted the %PIX...." string at the start of each syslog entry.

The entries do not seem suspicious to me. They look to be similar to the output from a "show conn" request. Using the information found on CISCO's website at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026157 we see that your output matches the following format:

The show conn detail command displays the following information:

{UDP | TCP} outside_ifc:real_addr/real-port [(map_addr/port)] inside_ifc:real_addr/real_port [(map-addr/port)] flags flags

The "D" following the "flags" token indicates that it is a DNS request, and so the destination port field instead shows the DNS session ID.

Of course, you might get a better answer from a CISCO support forum :)

Good luck,

Mark
0 Kudos
Reply
Susan Dietz
Occasional Advisor

‎09-11-2003 01:09 PM

‎09-11-2003 01:09 PM

Re: Firewall Entries

Thank you for you very astute reply. Yes, this is a show conn from the PIX and these entries have certainly been shortened for the sake of this forum.
What I meant to ask is why does the UDP port constantly change and why is it not happening on port 53?

I have the adminhp host as our main DNS server and it is only allowed out the firewall on udp 53. What I sent was just a couple of entries from the show conn. What I don't understand is that these outgoing udp connection ports start at the bottom port range (around)10 and continue all day long edging up to the top at 65535 and then start at the bottom again and cycle. I understand there are no ports past 65535. I don't know if this is normal behavior.
Would I be better off having my DNS server just going to my ISP's DNS and not out to the root servers as it is set up now?
I think it would be more secure to just have it hit my ISP's DNS server but this is the way HP helped us set the DNS up about 7 years ago because they said it would be faster if it went out to the root servers.

Any suggestions?

0 Kudos
Reply
Mark Cooper
Occasional Advisor

‎09-11-2003 02:56 PM

‎09-11-2003 02:56 PM

Re: Firewall Entries

Besides not being a CISCO expert I not a DNS expert either :)

The UDP port number shown in the "show conn" output is not actually the UDP port. It is the DNS transaction ID.

The DNS ID is the 1st 16bit quantity at the start of the UDP payload, and so has a min-max range of 0-65535. It is set by the client, and so your DNS server is probably simply incrementing it's request ID each time it sends a DNS request. Please refer to the documentation specific to your software.

To reasure yourself that your DNS server is only communicating on UDP port 53 use a packet sniffer to examine the network traffic. This can be done on the PIX itself but it's not the best method.

I'm not sure that pointing your DNS server towards your ISP's DNS servers would have any significant effect on the security of the transaction. There is possibly an infinitesimally small security improvement, by way of obscurity, if it will perform the recursion for you. Even then, the security improvement covers only a couple of *extremely* unlikely risk scenarios.

A performance impact is more likely, but I can't say for certain if it would be better or worse. I'd argue for better, as their DNS server's cache might just be bigger than yours ;)
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎09-14-2003 10:14 PM

‎09-14-2003 10:14 PM

Re: Firewall Entries

Hi,

This is indeed NOT normal because DNS communications in one way or another be it from client to DNS or between DNSes use either source or destination port of 53 or both.

All client to DNS server queries uses source port of >1023 and destination port of 53. Replies are from DNS server's port 53 to to client port of >1023.

Also, for queries/replies between DNS servers, BIND versions 8.X.X and above uses source udp port of >1023 and destination port of 53 whereas BIND versions 4.X.X uses source udp port of 53 and destination port of 53.

For zone transfers, BIND versions 8.X.X and above uses source tcp port of >1023 and destination port of 53 whereas BIND versions 4.X.X uses source tcp port of 53 and destination port of 53.

Try to get more details from the logs. If need be, perform a packet sniff. This could be caused either by a misconfiguration or an intentional port probe/scan.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.