Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Netscreen FW product bug, perhaps? (was RE: unsolicited spam packets from DNS servers?)

2 views
Skip to first unread message

linda w

unread,
Feb 25, 2003, 1:12:32 AM2/25/03
to

> From: ma...@isc.org [mailto:ma...@isc.org] On Behalf Of
> You are making queries but not allowing the replies back.
> Look at your logs. All the allowed traffic is outgoing.
---
Yeah, that's what I thought at first too. But then
someone kicked me and said "well, if that's true, how are
you getting any name resolution whatsoever?" A bit
more "digging"...The "R:xxxx, in the "->" lines is "received
bytes", S:xxx is "sent bytes". So even though there is
a "->", that simply means it was 'initiated' from within,
the 'response' is counted as part of the 'initiated' query.


> All the blocked traffic in incoming. The blocked traffic
> is heading to the port the allowed traffic comes from.
----
I'm not allowing "unsolicited" responses to be coming
back. There are responses back in the "->" lines,


>
> You are blocking replies and pounding the root servers
> with queries that you are ignoring.
...

Looking at the 'pounding' sections, I see some amount of
'pounding', followed by a successful "session":

(1) 99 HostA:34118 |< g.gtld-servers.net :53
" x5
(2) 99 HostA:34118 |< buchu.arin.net :53
" x4
(3) 99 HostA:34118 |< a3.NSTLD.COM :53
" x7
(4),3 6 HostA:34118 -> j.gtld-servers.net :53 ;R: 226; S: 82
(5),5 6 HostA:34118 -> g.gtld-servers.net :53 ;R: 247; S: 552
(6),3 6 HostA:34118 -> a3.NSTLD.COM :53 ;R: 445; S: 784
(7),3 6 HostA:34118 -> ns-ext.vix.com :53 ;R: 231; S: 88
(8),3 6 HostA:34118 -> buchu.arin.net :53 ;R: 329; S: 488
^-duration in seconds
---
This is just weird. The FW box in question is a "Netscreen
5xp". But (I need to fix log so seconds get recorded)
I can see several replies from the servers come in before
one that the netscreen box considers "matching", and then it
"closes" the "request-session" and logs it as successful. For
brevity, I abbreviated multiple rejects with the number of lines
deleted (" x5 = repeated 5 times).

This is crappy. I'll try to see if I can get anything out
of the Netscreen support people, but they haven't been able to
explain why their log formats differ in email vs. syslog vs.
their documentation yet, so dunno about why it would be
dropping traffic. Weird.

-linda


Mark_A...@isc.org

unread,
Feb 25, 2003, 1:32:32 AM2/25/03
to

I suspect that it is just doing DNS query id matching
and blocking all replies after the first one. BIND 8
will use the same ID when taking to multiple servers.

Your firewall is blocking legitimate replies.

Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org

Simon Waters

unread,
Feb 25, 2003, 11:06:36 AM2/25/03
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark_A...@isc.org wrote:
>
> I suspect that it is just doing DNS query id matching
> and blocking all replies after the first one. BIND 8
> will use the same ID when taking to multiple servers.

The firewall guru's list;

http://lists.insecure.org/lists/firewall-wizards/2003/Feb/0025.html

David Klein appears to be working for Netscreen, but in this
case I think he is responding from documentation or experience,
as he isn't (and doesn't claim to be) their DNS guru.

Still it is probably enough of a pointer if the commands are
applicable to the 5XP.

Otherwise maybe kick Netscreen for help, if you can pin it down
to Netscreen (assuming the DNS server is well patched it might
be plausible to tell the Netscreen to try just passing the
packets rather than trying to be clever for a while and see if
that points to the netscreen).
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+W4Y6GFXfHI9FVgYRArW/AJ4oxJug2zhgkJ1ogzXL92eR8D6ipQCdHNLb
ZiXn6DK1igJ5kuCbVk6oc+0=
=9Jav
-----END PGP SIGNATURE-----


Thomas Schulz

unread,
Feb 25, 2003, 4:00:51 PM2/25/03
to
In article <b3f2m0$30cu$1...@isrv4.isc.org>, <Mark_A...@isc.org> wrote:
>
------------------ cut --------------------------

>> This is just weird. The FW box in question is a "Netscreen
>> 5xp". But (I need to fix log so seconds get recorded)
>> I can see several replies from the servers come in before
>> one that the netscreen box considers "matching", and then it
>> "closes" the "request-session" and logs it as successful. For
>> brevity, I abbreviated multiple rejects with the number of lines
>> deleted (" x5 = repeated 5 times).
>>
>> This is crappy. I'll try to see if I can get anything out
>> of the Netscreen support people, but they haven't been able to
>> explain why their log formats differ in email vs. syslog vs.
>> their documentation yet, so dunno about why it would be
>> dropping traffic. Weird.
>>
>> -linda
>
> I suspect that it is just doing DNS query id matching
> and blocking all replies after the first one. BIND 8
> will use the same ID when taking to multiple servers.
>
> Your firewall is blocking legitimate replies.
>
> Mark

Would BIND 9 fix this problem?

>--
>Mark Andrews, Internet Software Consortium
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark.A...@isc.org
>


--
Tom Schulz
sch...@adi.com

0 new messages