[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] DNS, AOL, and IPChains - Oh My!

> Since configuring a firewall on a Raq4 that logs any packets that are
> neither DENYed or ACCEPTed per a rule, I have noticed the following...
>
> AOL's nameservers seem to have very odd behaviour.  They 'talk' to me on
> odd, but regular port #'s as shown in this snippet:
>
> Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 205.188.157.228:50 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=17299 F=0x0000 T=47
> (#62)
> Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 205.188.157.226:50 xxx.xxx.xxx.xxx:4649 L=128 S=0x00 I=22479 F=0x0000 T=47
> (#62)
> Jan  9 18:40:13 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 205.188.157.225:51 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=55296 F=0x0000 T=47
> (#62)
> Jan  9 18:40:58 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 64.12.51.143:51 xxx.xxx.xxx.xxx:4649 L=128 S=0x00 I=1498 F=0x0000 T=49
(#62)
> Jan  9 18:56:05 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 205.188.157.228:52 xxx.xxx.xxx.xxx:4649 L=135 S=0x00 I=36468 F=0x0000 T=47
> (#62)
> Jan  9 20:46:03 aegis kernel: Packet log: input DENY eth0 PROTO=17
> 205.188.157.226:50 xxx.xxx.xxx.xxx:4649 L=200 S=0x00 I=59145 F=0x0000 T=47
> (#62)
>

Hopefully this will make more sense...I just began comparing entries in
syslog to the kernel log and noted that MANY, not all, times the odd port
responses arrived there was an entry as follows in the syslog:

Jan  9 18:40:13 hostname named[10865]: Response from unexpected source
([205.188.157.225].53) for query "dns-06.ns.aol.com IN A6"

Could AOL have some sort of load-balancer that has machines respond on
behalf of another?  If so, why not on 53 and why to one or two non-random
destination ports?