[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] A curious firewall message I don't understand.

sorry i mixed two things.
- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107) 

yes is the firewall who blocks the packet

because:
- u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp. 

:p sorry :p

agr.suzdal escribió:
- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107)
- u say: Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries 

- me: one question - why you installed the bind pack? why u need it?
only is needed when you want a dns server, but isn't a common uses for a normal/common user, however in most cases, you don't need it for navigate thru Internet. With a dns server's ip on resolv.conf is enough for that purpose and only is needed bind-utils-9.3.2-56.3 - (Utilities to query and test DNS) and bind-libs-9.3.2-56.3 - (Shared libraries of BIND).
u only need to open de 53 port when you want to serve dns to each other (lan,wan,internet, etc...).
- u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp. 


Chejov Suzdal
www.hacktimes.com
www.qualias.net


Carlos E. R. escribió:



The Thursday 2008-01-17 at 22:24 +0100, agr.suzdal wrote:

> i think that something on your computer is going down.

> first:
> 128.9.0.107 = ns1.isi.edu

Yes.
> and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver 

I guessed so, but didn't know how to make sure.


> ;  formerly NS1.ISI.EDU
> ; .                        3600000      NS    B.ROOT-SERVERS.NET.
> B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107

> second:
> icmp type 3 code 0 = Host Unreachable

Ah!


> third:
> as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12) 

Right, so far I knew :-)

> answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0)

And that I did not know.
> that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination. 

Ah... ok.

Then the funny thing is why is the firewall blocking that "answer" :-?
Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries :-? No... the packet itself is not going to port 53, it is icmp protocol. 

Then why is it blocked?
> my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.
I think there must be something fishy in the hints file, which is the one that suse supplies: 

 nimrodel:/var/lib/named # rpm -q -f /var/lib/named/root.hint
 bind-9.4.1.P1-12


But the version is too old:

;       last update:    Jan 29, 2004
;       related version of root zone:   2004012900
Ok, I got the new version from ftp://ftp.internic.net/domain/named.root, and there is no server at "128.9.0.107" (not in the suse version, not in the new version): 


; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
But that's the same data the suse version contains. The only difference is: 

nimrodel:/var/lib/named # diff root.hint /home/cer/named.root
12,13c12,13
< ;       last update:    Jan 29, 2004
< ;       related version of root zone:   2004012900
---
> ;       last update:    Nov 01, 2007
> ;       related version of root zone:   2007110100
74c74
< L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
---
> L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
If there is no longer a root server at NS1.ISI.EDU, why is my machine querying it?
At least, replacing the old hints file solves a problem I saw in the logs:
Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints
But yet, I nothing related to that 128.9.0.107. I'll grep for it... bingo! I had an old 'root.cache' with that entry, not belonging to any rpm. 

You are right, my whole config is fishy; I think I have it right now.



-- Cheers,
       Carlos E. R.


---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx




---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx