Netscreen FW product bug, perhaps? (was RE: unsolicited spam packets from DNS servers?)

linda w bind at tlinx.org
Tue Feb 25 06:07:08 UTC 2003 


> From: marka at isc.org [mailto:marka at isc.org] On Behalf Of
> 	You are making queries but not allowing the replies back.
> 	Look at your logs.  All the allowed traffic is outgoing.
---
	Yeah, that's what I thought at first too.  But then
someone kicked me and said "well, if that's true, how are
you getting any name resolution whatsoever?"  A bit
more "digging"...The "R:xxxx, in the "->" lines is "received
bytes", S:xxx is "sent bytes".  So even though there is
a "->", that simply means it was 'initiated' from within,
the 'response' is counted as part of the 'initiated' query.


> 	All the blocked traffic in incoming.  The blocked traffic
> 	is heading to the port the allowed traffic comes from.
----
	I'm not allowing "unsolicited" responses to be coming
back.  There are responses back in the "->" lines,


>
> 	You are blocking replies and pounding the root servers
> 	with queries that you are ignoring.
...

	Looking at the 'pounding' sections, I see some amount of
'pounding', followed by a successful "session":

(1)   99 HostA:34118 |< g.gtld-servers.net   :53
	" x5
(2)   99 HostA:34118 |< buchu.arin.net       :53
	" x4
(3)   99 HostA:34118 |< a3.NSTLD.COM         :53
	" x7
(4),3  6 HostA:34118 -> j.gtld-servers.net   :53 ;R: 226; S:  82
(5),5  6 HostA:34118 -> g.gtld-servers.net   :53 ;R: 247; S: 552
(6),3  6 HostA:34118 -> a3.NSTLD.COM         :53 ;R: 445; S: 784
(7),3  6 HostA:34118 -> ns-ext.vix.com       :53 ;R: 231; S:  88
(8),3  6 HostA:34118 -> buchu.arin.net       :53 ;R: 329; S: 488
    ^-duration in seconds
---
	This is just weird.  The FW box in question is a "Netscreen
5xp".  But (I need to fix log so seconds get recorded)
I can see several replies from the servers come in before
one that the netscreen box considers "matching", and then it
"closes" the "request-session" and logs it as successful.  For
brevity, I abbreviated multiple rejects with the number of lines
deleted (" x5 = repeated 5 times).

	This is crappy.  I'll try to see if I can get anything out
of the Netscreen support people, but they haven't been able to
explain why their log formats differ in email vs. syslog vs.
their documentation yet, so dunno about why it would be
dropping traffic.  Weird.

-linda

More information about the bind-users mailing list