[unexpected connection]

[Jim Reid]

>>>>> ">" ==   <m.saitoh at lac.co.jp> writes:

    >>  The phenomenon is that IDS detected a packet tried to connect
    >> from my server to Unknown Name server, directly.

    >> src host : My Server ( DNS, WWW ) 
    >> src port : High port
    >> dst host : ne3.europe.yahoo.com <-- "Unknown" server ! 
    >> dst port : 53 (tcp)

    >>  I don't remember that I wrote "ne3...com" in my configuration.
    >> No such IP addr. (ne3....com) were found in the named.conf,
    >> /etc/named/*. or /etc/resolv.conf

    >> I tryed to find which process executed this connection using
    >> command like netstat, but I couldn't find it out.

This would appear to be normal behaviour. Your name server will get
queries from local users and applications for all sorts of names. Your
name server has to resolve those queries by interrogating an
effectively arbitrary set of other name servers. One of the queries
could have been from a local user's web browser going to (say)
www.yahoo.com, causing your name server to query the name server at
ne3.europe.yahoo.com to get the IP address of www.yahoo.com.

You don't have necessarily have to embed the IP address of
ne3.europe.yahoo.com anywhere in your configuration. Your name server
will be perfectly capable of finding the names and addresses of other
name servers for itself. And unless you have 100% control over the
names your users lookup - which web sites they visit, who they
exchange email with, etc - you have no way of controlling what name
servers will be queried by your name server. Or what name servers
query your name server for that matter.

BTW, BIND[89] by default uses a random, high-numbered (unprivileged)
source port for querying other name servers. Those queries have to go
to port 53 on the remote server obviously. The log report generated
by IDS is just consistent with this standard, normal behaviour.