[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] A curious firewall message I don't understand.



- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107)

- u say: Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries

- me: one question - why you installed the bind pack? why u need it?
only is needed when you want a dns server, but isn't a common uses for a normal/common user, however in most cases, you don't need it for navigate thru Internet. With a dns server's ip on resolv.conf is enough for that purpose and only is needed bind-utils-9.3.2-56.3 - (Utilities to query and test DNS) and bind-libs-9.3.2-56.3 - (Shared libraries of BIND).

u only need to open de 53 port when you want to serve dns to each other (lan,wan,internet, etc...).

- u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp.


Chejov Suzdal
www.hacktimes.com
www.qualias.net


Carlos E. R. escribió:


The Thursday 2008-01-17 at 22:24 +0100, agr.suzdal wrote:

> i think that something on your computer is going down.

> first:
> 128.9.0.107 = ns1.isi.edu

Yes.


> and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver

I guessed so, but didn't know how to make sure.


> ;  formerly NS1.ISI.EDU
> ; .                        3600000      NS    B.ROOT-SERVERS.NET.
> B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107

> second:
> icmp type 3 code 0 = Host Unreachable

Ah!


> third:
> as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12)

Right, so far I knew :-)

> answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0)

And that I did not know.

> that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.

Ah... ok.

Then the funny thing is why is the firewall blocking that "answer" :-?

Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries :-? No... the packet itself is not going to port 53, it is icmp protocol.

Then why is it blocked?


> my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.


I think there must be something fishy in the hints file, which is the one that suse supplies:

 nimrodel:/var/lib/named # rpm -q -f /var/lib/named/root.hint
 bind-9.4.1.P1-12


But the version is too old:

;       last update:    Jan 29, 2004
;       related version of root zone:   2004012900


Ok, I got the new version from ftp://ftp.internic.net/domain/named.root, and there is no server at "128.9.0.107" (not in the suse version, not in the new version):


; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201


But that's the same data the suse version contains. The only difference is:

nimrodel:/var/lib/named # diff root.hint /home/cer/named.root
12,13c12,13
< ;       last update:    Jan 29, 2004
< ;       related version of root zone:   2004012900
---
> ;       last update:    Nov 01, 2007
> ;       related version of root zone:   2007110100
74c74
< L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
---
> L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42



If there is no longer a root server at NS1.ISI.EDU, why is my machine querying it?




At least, replacing the old hints file solves a problem I saw in the logs:


Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints




But yet, I nothing related to that 128.9.0.107. I'll grep for it... bingo! I had an old 'root.cache' with that entry, not belonging to any rpm.

You are right, my whole config is fishy; I think I have it right now.



-- Cheers,
       Carlos E. R.

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx