DNS BIND traffic capture ICMP/UDP

Ray Bellis ray at isc.org
Fri Jan 15 15:30:35 UTC 2016

On 15/01/2016 13:48, Daniel Dawalibi wrote:
> Hello
> We observed an unusual traffic combining ICMP and UDP packets while
> running the tcpdump command on the DNS caching server
> Kindly note that only UDP DNS traffic is allowed on this server (ICMP is
> not allowed from outside to DNS server)
> Any help regarding this issue? Why we are getting ICMP and UDP requests?
> Could it be an attack?

The far end is complaining that responses that your server has sent
cannot be delivered to the originator because there's no longer anything
listening at the source port from which the DNS request came.

This could be for several reasons:

1.  the far end's stateful firewall has "timed out" the state it was
    maintaining for its own outgoing UDP query

2.  the far end ran out of state memory (similar to 1)

3.  the packet didn't really come from there in the first place (i.e.
    the source was spoofed)

Your own firewall is likely permitting the inbound ICMP (despite rules
prohibiting unsolicited inbound ICMP) because as far as it's concerned,
these are *not* unsolicited ICMP packets - they relate to an existing flow.


More information about the bind-users mailing list