From owner-freebsd-security  Sat Jan 29  7: 2:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
	by hub.freebsd.org (Postfix) with SMTP id ADCB314FB4
	for <freebsd-security@freebsd.org>; Sat, 29 Jan 2000 07:02:29 -0800 (PST)
	(envelope-from sthaug@nethelp.no)
Received: (qmail 98583 invoked by uid 1001); 29 Jan 2000 15:02:26 +0000 (GMT)
To: oogali@intranova.net
Cc: mccord@zytek.com, freebsd-security@freebsd.org
Subject: Re: Continual DNS requests from mysterious IP
From: sthaug@nethelp.no
In-Reply-To: Your message of "Sat, 29 Jan 2000 09:46:48 -0500 (EST)"
References: <Pine.BSF.4.10.10001290933320.25220-100000@hydrant.intranova.net>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Sat, 29 Jan 2000 16:02:26 +0100
Message-ID: <98581.949158146@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> If you understand the tcpdump output you'll see that its a query
> for the MX records of aol.com so a successful mail transfer can be
> acheived.

I doubt that's why this is happening, see below.

> This is the normal course of events:
> 
> 1) The user types the e-mail (or a program generates the e-mail)
>    and transfers it to the local mail daemon or the SMTP daemon.
> 
> 2) The mail daemon looks at the outgoing address and requests a "what
>    mailserver is authoritive for this address" record from the local
>    resolver.
> 
> 3) The local resolver forwards the request to the first available name
>    server specified from /etc/resolv.conf. (Line 1 of tcpdump)
> 
> 4) -hidden- The other nameservers forward to the root servers and traverse
>    down the path of yellow brick DNS road till it gets an answer.
> 
> 5) Our happy little nameserver runs back to the requesting resolver with
>    an answer (Line 2 of tcpdump).
> 
> Apparently, your machine is either blocking the replies, dropping them, or
> not seeing them at all, causing for the retransmits of steps 3-5. Now the
> normal course of events would continue like this:

The problem is that:

- These queries are directed to machines which have nothing to do with
aol.com (and are not authoritative name servers for aol.com).

- These queries are being repeated indefinitely.

(Yes, it's happening here too.)

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message