Re: [opensuse-security] A curious firewall message I don't understand.
Is the external address of your host "128.9.0.107." If so, there is a host somewhere on the Internet that has this IP address configured as their DNS server. Probably a typo. Wil ------------ Wilson Mattos Technology Specialist wmattos@novell.com 949-212-2805 Novell, Inc. Novell BrainShare 2008 This is Your Open Enterprise Register at http://www.novell.com/brainshare
"Carlos E. R." <robin.listas@telefonica.net> 01/17/08 10:53 AM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, My setup is: small adsl---> router ---lan----> PC with (10.3) firewall 192.168.1.1 192.168.1.12 I see these repeated messages on my 10.3 system: Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39491 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2525 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39492 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2528 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39493 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] Jan 15 14:16:55 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=98 TOS=0x00 PREC=0xC0 TTL=255 ID=39500 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=62240 DF PROTO=UDP SPT=2533 DPT=53 LEN=50 ] Jan 16 11:19:18 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=20624 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41759 DF PROTO=UDP SPT=2696 DPT=53 LEN=40 ] Jan 16 14:07:48 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=1746 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44799 DF PROTO=UDP SPT=2737 DPT=53 LEN=40 ] Jan 17 11:11:12 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=123 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3073 DPT=162 LEN=103 Jan 17 11:11:33 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=34107 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51874 DF PROTO=UDP SPT=2900 DPT=53 LEN=40 ] They started on Nov 4 (the day after I installed 10.3), and there is a total of 112 entries. My first idea was that my router (192.168.1.1) was doing a DNS query to my linux machine (192.168.1.12), which is weird as the router uses a remote dns server as defined by my ISP. The linux machine does have a local dns server as cache and server. But then I noticed this part: PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107.... The dest part in brackets is always the same, and it is a dns server (ns1.isi.edu). I don't know how to decipher this... what is it all about? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHj6QhtTMYHG2NR9URAvuqAJ9YPDWnU68t2IakpYl/PDFjEtzHqgCdFPe2 SnKxMIxKa3SFvK17/clsKsE= =4+lG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-01-17 at 13:01 -0700, Wilson Mattos wrote:
Is the external address of your host "128.9.0.107."
Certainly not. My IP is dynamic and never in that range; but that IP is the same in all the messages, since November.
If so, there is a host somewhere on the Internet that has this IP address configured as their DNS server.
Yes, ns1.isi.edu, I said so.
Probably a typo.
By whom? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHj7qAtTMYHG2NR9URAiuLAJ0aIF7vtFNrJyFVKZbEFG3dngw46ACfaufl Fqcdy49Oobwa+Sm6zrGGkgg= =vYmz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Is the external address of your host "128.9.0.107." If so, there is a host somewhere on the Internet that has this IP address configured as
i think that something on your computer is going down. first: 128.9.0.107 = ns1.isi.edu and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 second: icmp type 3 code 0 = Host Unreachable third: as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12) answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0) that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination. my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer. Chejov Suzdal www.hacktimes.com www.qualias.net Wilson Mattos escribió: their DNS server. Probably a typo.
Wil
------------ Wilson Mattos Technology Specialist wmattos@novell.com 949-212-2805
Novell, Inc. Novell BrainShare 2008 This is Your Open Enterprise Register at http://www.novell.com/brainshare
"Carlos E. R." <robin.listas@telefonica.net> 01/17/08 10:53 AM >>>
Hi,
My setup is:
small adsl---> router ---lan----> PC with (10.3) firewall 192.168.1.1 192.168.1.12
I see these repeated messages on my 10.3 system:
Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39491 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2525 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39492 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2528 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39493 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] Jan 15 14:16:55 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=98 TOS=0x00 PREC=0xC0 TTL=255 ID=39500 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=62240 DF PROTO=UDP SPT=2533 DPT=53 LEN=50 ] Jan 16 11:19:18 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=20624 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41759 DF PROTO=UDP SPT=2696 DPT=53 LEN=40 ] Jan 16 14:07:48 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=1746 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44799 DF PROTO=UDP SPT=2737 DPT=53 LEN=40 ] Jan 17 11:11:12 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=123 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3073 DPT=162 LEN=103 Jan 17 11:11:33 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=34107 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51874 DF PROTO=UDP SPT=2900 DPT=53 LEN=40 ]
They started on Nov 4 (the day after I installed 10.3), and there is a total of 112 entries.
My first idea was that my router (192.168.1.1) was doing a DNS query to my linux machine (192.168.1.12), which is weird as the router uses a remote dns server as defined by my ISP. The linux machine does have a local dns server as cache and server.
But then I noticed this part:
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107....
The dest part in brackets is always the same, and it is a dns server (ns1.isi.edu).
I don't know how to decipher this... what is it all about?
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Its probably the hint file in your named cache server that has a problem, I'd check the routing and such. Gary B agr.suzdal wrote:
i think that something on your computer is going down.
first: 128.9.0.107 = ns1.isi.edu
and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
second: icmp type 3 code 0 = Host Unreachable
third: as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12) answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0) that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.
my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.
Chejov Suzdal www.hacktimes.com www.qualias.net
Wilson Mattos escribió:
Is the external address of your host "128.9.0.107." If so, there is a host somewhere on the Internet that has this IP address configured as their DNS server. Probably a typo.
Wil
------------ Wilson Mattos Technology Specialist wmattos@novell.com 949-212-2805
Novell, Inc. Novell BrainShare 2008 This is Your Open Enterprise Register at http://www.novell.com/brainshare
"Carlos E. R." <robin.listas@telefonica.net> 01/17/08 10:53 AM >>>
Hi,
My setup is:
small adsl---> router ---lan----> PC with (10.3) firewall 192.168.1.1 192.168.1.12
I see these repeated messages on my 10.3 system:
Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39491 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2525 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39492 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2528 DPT=53 LEN=42 ] Jan 15 14:16:52 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=90 TOS=0x00 PREC=0xC0 TTL=255 ID=39493 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] Jan 15 14:16:55 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=98 TOS=0x00 PREC=0xC0 TTL=255 ID=39500 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=62240 DF PROTO=UDP SPT=2533 DPT=53 LEN=50 ] Jan 16 11:19:18 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=20624 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41759 DF PROTO=UDP SPT=2696 DPT=53 LEN=40 ] Jan 16 14:07:48 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=1746 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44799 DF PROTO=UDP SPT=2737 DPT=53 LEN=40 ] Jan 17 11:11:12 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=123 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3073 DPT=162 LEN=103 Jan 17 11:11:33 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.12 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=34107 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51874 DF PROTO=UDP SPT=2900 DPT=53 LEN=40 ]
They started on Nov 4 (the day after I installed 10.3), and there is a total of 112 entries.
My first idea was that my router (192.168.1.1) was doing a DNS query to my linux machine (192.168.1.12), which is weird as the router uses a remote dns server as defined by my ISP. The linux machine does have a local dns server as cache and server.
But then I noticed this part:
PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.12 DST=128.9.0.107....
The dest part in brackets is always the same, and it is a dns server (ns1.isi.edu).
I don't know how to decipher this... what is it all about?
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2008-01-17 at 22:24 +0100, agr.suzdal wrote:
i think that something on your computer is going down.
first: 128.9.0.107 = ns1.isi.edu
Yes.
and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver
I guessed so, but didn't know how to make sure.
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
second: icmp type 3 code 0 = Host Unreachable
Ah!
third: as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12)
Right, so far I knew :-)
answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0)
And that I did not know.
that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.
Ah... ok. Then the funny thing is why is the firewall blocking that "answer" :-? Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries :-? No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked?
my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.
I think there must be something fishy in the hints file, which is the one that suse supplies: nimrodel:/var/lib/named # rpm -q -f /var/lib/named/root.hint bind-9.4.1.P1-12 But the version is too old: ; last update: Jan 29, 2004 ; related version of root zone: 2004012900 Ok, I got the new version from ftp://ftp.internic.net/domain/named.root, and there is no server at "128.9.0.107" (not in the suse version, not in the new version): ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 But that's the same data the suse version contains. The only difference is: nimrodel:/var/lib/named # diff root.hint /home/cer/named.root 12,13c12,13 < ; last update: Jan 29, 2004 < ; related version of root zone: 2004012900 - ---
; last update: Nov 01, 2007 ; related version of root zone: 2007110100 74c74 < L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
If there is no longer a root server at NS1.ISI.EDU, why is my machine querying it? At least, replacing the old hints file solves a problem I saw in the logs: Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints But yet, I nothing related to that 128.9.0.107. I'll grep for it... bingo! I had an old 'root.cache' with that entry, not belonging to any rpm. You are right, my whole config is fishy; I think I have it right now. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHj+WLtTMYHG2NR9URAorSAJ9D7PEsZzAEDLvvaWADFkqQoXlNswCfaTCd tvvShxtCOKR5B0Cz9xaZ8Tg= =ALp5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107) - u say: Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries - me: one question - why you installed the bind pack? why u need it? only is needed when you want a dns server, but isn't a common uses for a normal/common user, however in most cases, you don't need it for navigate thru Internet. With a dns server's ip on resolv.conf is enough for that purpose and only is needed bind-utils-9.3.2-56.3 - (Utilities to query and test DNS) and bind-libs-9.3.2-56.3 - (Shared libraries of BIND). u only need to open de 53 port when you want to serve dns to each other (lan,wan,internet, etc...). - u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp. Chejov Suzdal www.hacktimes.com www.qualias.net Carlos E. R. escribió:
The Thursday 2008-01-17 at 22:24 +0100, agr.suzdal wrote:
i think that something on your computer is going down.
first: 128.9.0.107 = ns1.isi.edu
Yes.
and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver
I guessed so, but didn't know how to make sure.
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
second: icmp type 3 code 0 = Host Unreachable
Ah!
third: as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12)
Right, so far I knew :-)
answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0)
And that I did not know.
that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.
Ah... ok.
Then the funny thing is why is the firewall blocking that "answer" :-?
Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries :-? No... the packet itself is not going to port 53, it is icmp protocol.
Then why is it blocked?
my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.
I think there must be something fishy in the hints file, which is the one that suse supplies:
nimrodel:/var/lib/named # rpm -q -f /var/lib/named/root.hint bind-9.4.1.P1-12
But the version is too old:
; last update: Jan 29, 2004 ; related version of root zone: 2004012900
Ok, I got the new version from ftp://ftp.internic.net/domain/named.root, and there is no server at "128.9.0.107" (not in the suse version, not in the new version):
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
But that's the same data the suse version contains. The only difference is:
nimrodel:/var/lib/named # diff root.hint /home/cer/named.root 12,13c12,13 < ; last update: Jan 29, 2004 < ; related version of root zone: 2004012900 ---
; last update: Nov 01, 2007 ; related version of root zone: 2007110100 74c74 < L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
If there is no longer a root server at NS1.ISI.EDU, why is my machine querying it?
At least, replacing the old hints file solves a problem I saw in the logs:
Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints
But yet, I nothing related to that 128.9.0.107. I'll grep for it... bingo! I had an old 'root.cache' with that entry, not belonging to any rpm.
You are right, my whole config is fishy; I think I have it right now.
-- Cheers, Carlos E. R.
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
sorry i mixed two things. - u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107) yes is the firewall who blocks the packet because: - u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp. :p sorry :p agr.suzdal escribió:
- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107)
- u say: Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries
- me: one question - why you installed the bind pack? why u need it? only is needed when you want a dns server, but isn't a common uses for a normal/common user, however in most cases, you don't need it for navigate thru Internet. With a dns server's ip on resolv.conf is enough for that purpose and only is needed bind-utils-9.3.2-56.3 - (Utilities to query and test DNS) and bind-libs-9.3.2-56.3 - (Shared libraries of BIND).
u only need to open de 53 port when you want to serve dns to each other (lan,wan,internet, etc...).
- u say: No... the packet itself is not going to port 53, it is icmp protocol. Then why is it blocked? - me: that log is not for a block of an output packet, is an information for a blocked packet of an answer. i explained, the iptables blocked an icmp packet because u don't querry that, u send and udp querry asking for a dns resolv and u wait an udp answer, but not an icmp.
Chejov Suzdal www.hacktimes.com www.qualias.net
Carlos E. R. escribió:
The Thursday 2008-01-17 at 22:24 +0100, agr.suzdal wrote:
i think that something on your computer is going down.
first: 128.9.0.107 = ns1.isi.edu
Yes.
and it's a root name server of DNS as you can see at http://en.wikipedia.org/wiki/Root_nameserver
I guessed so, but didn't know how to make sure.
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
second: icmp type 3 code 0 = Host Unreachable
Ah!
third: as you can see at logs, your ROUTER (SRC=192.168.1.1) is sending a packet to you (DST=192.168.1.12)
Right, so far I knew :-)
answering "with" Host Unreachable (PROTO=ICMP TYPE=3 CODE=0)
And that I did not know.
that a packet DNS from YOU (SRC) [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ] can't reach destination.
Ah... ok.
Then the funny thing is why is the firewall blocking that "answer" :-?
Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries :-? No... the packet itself is not going to port 53, it is icmp protocol.
Then why is it blocked?
my recomendation, verify your set of DNS at /etc/resolv.conf, and if it's right, then something is bad onto your computer.
I think there must be something fishy in the hints file, which is the one that suse supplies:
nimrodel:/var/lib/named # rpm -q -f /var/lib/named/root.hint bind-9.4.1.P1-12
But the version is too old:
; last update: Jan 29, 2004 ; related version of root zone: 2004012900
Ok, I got the new version from ftp://ftp.internic.net/domain/named.root, and there is no server at "128.9.0.107" (not in the suse version, not in the new version):
; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
But that's the same data the suse version contains. The only difference is:
nimrodel:/var/lib/named # diff root.hint /home/cer/named.root 12,13c12,13 < ; last update: Jan 29, 2004 < ; related version of root zone: 2004012900 ---
; last update: Nov 01, 2007 ; related version of root zone: 2007110100 74c74 < L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
If there is no longer a root server at NS1.ISI.EDU, why is my machine querying it?
At least, replacing the old hints file solves a problem I saw in the logs:
Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints Jan 9 04:21:39 nimrodel named[4688]: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints
But yet, I nothing related to that 128.9.0.107. I'll grep for it... bingo! I had an old 'root.cache' with that entry, not belonging to any rpm.
You are right, my whole config is fishy; I think I have it right now.
-- Cheers, Carlos E. R.
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-01-18 at 01:22 +0100, agr.suzdal wrote:
- u say: Then the funny thing is why is the firewall blocking that "answer" :-? - me: no, the router is not blocking the answer, it return an answer for your querry [SRC=192.168.1.12 DST=128.9.0.107 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=61490 DF PROTO=UDP SPT=2529 DPT=53 LEN=42 ], saying "i can't talk to DNS SERVER" not reach (128.9.0.107)
I'll have to digest the rest of your answer O:-)
- u say: Perhaps I should open the firewall to port 53, which currently is not, as I don't serve dns queries
- me: one question - why you installed the bind pack? why u need it? only is needed when you want a dns server, but isn't a common uses for a normal/common user, however in most cases, you don't need it for navigate thru Internet. With a dns server's ip on resolv.conf is enough for that purpose and only is needed bind-utils-9.3.2-56.3 - (Utilities to query and test DNS) and bind-libs-9.3.2-56.3 - (Shared libraries of BIND).
Well... I first set up bind as a cache server, which by default is what the suse bind rpm does. When you have a modem, a dns cache server makes sense, because it speeds up queries. When I upgraded to adsl I kept it. In fact, the router, which is an embedded little box suplied by my isp, running linux 2.4, also contains a dns server configured as cache. Then I also configured my bind to answer local queries for a "faked" local domain: this time for learning how to do it. I know, I know: it is not necesary. But it works.
u only need to open de 53 port when you want to serve dns to each other (lan,wan,internet, etc...).
Right, which is why I keep it clossed, unless I'm running tests. The rest of your message I'll study tomorrow :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHj/wStTMYHG2NR9URAkl1AJ4+4yb0onQNMv2WT4w20Q69HSrL2gCgg68U wBtEa+8y3OIAt9JKYJW++Co= =Q+Cs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
agr.suzdal -
Carlos E. R. -
Gary Baribault -
Wilson Mattos