AW: AW: [suse-security] dns hijack attack
Hi Boris, Thanks for your answer. I read it with pleasure.
Eerm... 212.114.64.130 is our permanent line to the internet, which is provided by OSN, Online Service Nuernberg. Your ipchains log entries show that, from our permanent line, a DNS lookup has been initiated but could not be completed due to your packet screening configuration.
Which is ok the way it is. That means I won't change it.
The time of these log entries is 18:47 (CET I suppose) is very interesting. At this time the newly arrived suse-security postings arrived and have been polled by our internal mail server. Your domain belfin.ch has been looked up and this lookup lead to the ipchains log entries you mentioned.
Don't worry because of time. This box is not yet ntp synchronised, I 've got a time error.
The log entries have been created because our internal name server (which connects to the internet via 212.114.64.130) tried to do a lookup with a source port below 1024, and I think you have an ipchains-rule like this:
ipchains -A input -i eth1 -p udp -s 0.0.0.0/0.0.0.0 1024:65535 -d your.dns.ip.address 53 -j ACCEPT
Ok. That's right.
If so, the log entries have been caused due to your restriction of the source ports.
exactly.
Our internal name server used
and still uses
ports below 1024 and therefore got rejected.
I am very sorry if these events worried you, but I assure you that there's no black hat behind it, it's just some kind of "misunderstanding" between our internal and your external bind...! :-)
Happy to hear that.
If you still feel uncomfortable I can provide you with some log files to show you the whole story.
I'd like to. Just for learning purposes.
Again, we in Landwehr & Partner do apologise for this inconvenience.
No Problem. Philipp
participants (1)
-
Philipp Snizek