I have questions about 3 types of packets my firewall is dropping. They’re all related to DNS, I guess. My first assumption is always “I must have mis-configured something”.
2014-03-25T15:18:35.761420-05:00 siliconpenguin kernel: [72775.946679] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=71.86.xxx.xxx DST=18.104.22.168 -snip- DF PROTO=UDP SPT=5353 DPT=5353 LEN=41
So, I believe this is an mDNS broadcast packet. What might be broadcasting this packet? Do I have something mis-configured? Could it be something on my internal network requesting this? BTW, I find it weird that IN=eth0. That’s the network card facing the internet. The SRC=71.86.xxx.xxx is eth0. I log about 10 - 20 of these a day.
2014-03-25T14:48:45.952426-05:00 siliconpenguin kernel: [70986.139003] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:1a:blahblah SRC=22.214.171.124 DST=71.86.xxx.xxx --snip-- PROTO=UDP SPT=53 DPT=2050 LEN=96
The SRC=126.96.36.199 is a DNS server from my ISP, so this seems legit. But why are they sending me on average 50 - 100 of these a day. I’ve only seen port 2050 used for two things: Avaya EMB Config Port and a window trojan. That doesn’t mean it couldn’t be for some other legit purpose.
Moving on. This one is a little different. I see whats happening, just not the how or why:
2014-03-25T10:00:27.242024-05:00 siliconpenguin kernel: [53687.428606] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:1a:blahblah SRC=188.8.131.52 DST=71.86.xxx.xxx --snip-- PROTO=ICMP TYPE=3 CODE=3 [SRC=71.86.xxx.xxx DST=184.108.40.206--snip-- PROTO=UDP SPT=15777 DPT=53 LEN=50 ]
So this looks like someone, from South Africa, is pinging my box. The part that confuses me is DPT=53?? Again with the DNS port? That wouldn’t be normal for a ping request, right?
Thanks in advance for any tips or help! If you could point me in the right direction I’d really appreciate it.
Please let me know if you need anything else…