Firewall Blocking Unusual Traffic
-
I seem to have a lot of traffic incoming with a source port of 53. All of it gets blocked by the firewall, but I'm not understanding why this traffic is happening. One of the theories I have is that someone on the inside of the network is running something they shouldn't be, like a TOR node, but Snort should pick that up if it were true.
Can anyone offer some advice? I have attached a snip of the logs. Please let me know if a packet capture is needed.
Aug 9 10:16:13 WAN 76.96.90.214:53 xxx.xxx.xxx.xxx:7694 UDP block Aug 9 10:16:13 WAN 69.252.250.7:53 xxx.xxx.xxx.xxx:51987 UDP block Aug 9 10:16:12 WAN 69.252.250.8:53 xxx.xxx.xxx.xxx:49939 UDP block Aug 9 10:16:11 WAN 68.87.68.169:53 xxx.xxx.xxx.xxx:49411 UDP block Aug 9 10:16:07 WAN 69.252.250.16:53 xxx.xxx.xxx.xxx:34784 UDP block Aug 9 10:16:06 WAN 69.252.250.11:53 xxx.xxx.xxx.xxx:51987 UDP block Aug 9 10:16:02 WAN 76.96.90.215:53 xxx.xxx.xxx.xxx:42985 UDP block Aug 9 10:16:02 WAN 76.96.90.215:53 xxx.xxx.xxx.xxx:55078 UDP block Aug 9 10:15:57 WAN 69.252.250.16:53 xxx.xxx.xxx.xxx:26763 UDP block Aug 9 10:15:44 WAN 69.252.250.19:53 xxx.xxx.xxx.xxx:20374 UDP block Aug 9 10:15:34 WAN 76.96.90.217:53 xxx.xxx.xxx.xxx:9461 UDP block Aug 9 10:15:32 WAN 69.252.250.15:53 xxx.xxx.xxx.xxx:20374 UDP block Aug 9 10:15:27 WAN 68.87.68.169:53 xxx.xxx.xxx.xxx:9461 UDP -
well port 53 is used for DNS servers.
who is your service provider and/or are you using a domain with a domain controller there which does DNS?
-
My company uses Comcast business class internet. None of those IPs appear to be DNS servers, which is why I'm confused as to why they are sending traffic to my network on port 53. Something is going on, and it is probably out of my realm of understanding of networking.
-
My company uses Comcast business class internet. None of those IPs appear to be DNS servers, which is why I'm confused as to why they are sending traffic to my network on port 53. Something is going on, and it is probably out of my realm of understanding of networking.
well they all seem to belong to Comcast or at least have the ISP registered as Comcast…
And I tried to get a DNS service from them myself but my DC reported that there was no DNS service running on those.
Then again I am in the UK so they might not be public DNS servers.Having just said all that...
one of them has a host name of:
atlt-dnssec03.s3woodstock.ga.atlanta.comcast.net
so I'd guess it is doing some kind of DNS servers but perhaps only for a certain few sites? -
Those are comcast dns, the ones I checked.. If you not on comcast network - then no they will not answer your queries. But they answer mine.
I would assume your using anycast - and since your going out on say 75.75.75.75 which is an anycast address for comcast dns.. How ever you have your firewall rules setup is blocking the answer?
Is dns working? Where are you getting it from?
Why don't you just sniff the traffic and see what it is - if you see what it answers back you might be able to guess where it came from.. And if will most likely see your traffic going out asking whatever it your asking.
-
More than likely you have people inside the network who are using DNS in their OS other than the pfsense forwarder. Good DNS replies on ports randomly to make spoofing more difficult. I'd say you are probably looking at nothing. Just normal replies to DNS queries and you are killing it.
Way to go snort…Something did occur to me... Some smart genius might also be running a P-2-P sharing app on port 53... It would take a network smart guy to think to put it there, but why not.
-
"Good DNS replies on ports randomly to make spoofing more difficult. "
What?? You mean the query goes out from random source ports, not the reply..
-
Yeah - The query. But these are all DNS… I thought maybe at first some P2P traffic at first but nope.
ncst-dnssec02.newcastle.de.panjde.comcast.net
atlt-dnssec03b.s3woodstock.ga.atlanta.comcast.net -
" Some smart genius might also be running a P-2-P sharing app on port 53"
If someone was running p2p on 53 on his network, then you would be seeing dst port to 53 to his network. Not the source port in packets to his network on high ports.
This is clearly just dns responses that most likely should not even be blocked. If you don't want your clients talking to outside dns - then you should block it before it goes out, not on the way back ;)
