Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
huge amount of outgoing connections on bind/named/53 port
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ryszardzonk
Apprentice
Apprentice


Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND

PostPosted: Tue Sep 08, 2015 10:55 am    Post subject: huge amount of outgoing connections on bind/named/53 port Reply with quote

I recently installed Peerguardian/pglinux as an extension to my firewall and it blocks all kind of traffic which I previously did not realize could go through my server. As for my setup my chine servers as local home server for my personal use. Among others I do have DHCP, BIND, NTP, TOR, MLDONKEY installed which might be related to the issue.

Now none of the below connections is something I expect from any of those apps, cause of their config setup, but still mentioning them might be important. Such connections happen on very unregulated bases, but when they do there is 100s of them.

Quote:

Sep 8 12:16:38 OUT: 192.168.10.xxx:25664 192.203.230.10:53 UDP || National Aeronautics and Space Administration
Sep 8 12:16:38 OUT: 192.168.10.xxx:29817 192.112.36.4:53 UDP || DISA | Government Systems, Inc
Sep 8 12:16:38 OUT: 192.168.10.xxx:59534 128.63.2.53:53 UDP || U.S. Army Research Laboratory


Now question is how to check where and why they are coming from. Could it be that my server or one of the machines have been hacked, caatched some kind of trojan/virus or anything like that
_________________
Sky is not the limit...
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42596
Location: 56N 3W

PostPosted: Tue Sep 08, 2015 12:33 pm    Post subject: Reply with quote

ryszardzonk,

It looks like you are running a public nameserver.

Code:
$ grep 53 /etc/services
domain      53/tcp            # Domain Name Server
domain      53/udp


There is no need to hide 192.168.10.xxx as 192.168.0.0/16 is designated for private use and not routable over the internet.
Addresses in the 192.168.0.0/16 will be dropped by your ISP and if you send them a lot of packets with that IP in them, they may ask you to sort it out.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
ryszardzonk
Apprentice
Apprentice


Joined: 18 Dec 2003
Posts: 225
Location: Rzeszów, POLAND

PostPosted: Tue Sep 08, 2015 1:05 pm    Post subject: Reply with quote

Quote:
here is no need to hide 192.168.10.xxx as 192.168.0.0/16 is designated for private use and not routable over the internet.
I know that ;) Just the habit

The thing is am not running public name server. At least not through BIND.

/etc/bind/named.conf
acl "trusted" {
192.168.10.0/24;
127.0.0.0/8;
::1/128;
};
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; 192.168.10.1/24; };

forwarders {
62.133.xxx.xxx; // local ISP
62.133.xxx.xxx; // local ISP
};


Maybe TOR is doing it but I am not sure how that could that be as I am forbidding any other traffic than
/etc/tor/torrc
ExitPolicy accept *:80
ExitPolicy accept *:8074
ExitPolicy accept *:6666-6667,reject *:*
ExitPolicy reject *:*

EDIT
Code:
12:16:39 OUT: 192.168.102.xxx:22020  192.112.36.4:53
That peer guardian log means traffic like that tries to out from my machine to the Internet, but has been stopped by peerguardian. It would go out otherwise as 192.168.102.xxx is just representation of my external network card through which traffic is forwarded to ISP router on my end.
_________________
Sky is not the limit...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum