Firewall Making Many DNS PTR Queries
Alex de Kruijff
freebsd at akruijff.dds.nl
Sat Nov 8 15:28:52 PST 2003
On Sat, Nov 08, 2003 at 01:00:06PM -0800, Jason C. Wells wrote:
> If one of my clients makes a DNS query for a hostname that is not cached,
> my firewall subsequently makes a flurry of PTR queries. I am at a loss to
> explain why.
>
> For example:
>
> XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN
> XX+/192.168.1.13/www.davinci.com/A/IN
> XX+/192.168.1.1/49.0.229.193.in-addr.arpa/PTR/IN
> XX+/192.168.1.1/10.24.230.130.in-addr.arpa/PTR/IN
> XX+/192.168.1.1/132.248.214.128.in-addr.arpa/PTR/IN
> XX+/192.168.1.1/10.102.230.130.in-addr.arpa/PTR/IN
> XX+/192.168.1.1/64.46.214.128.in-addr.arpa/PTR/IN
> XX+/192.168.1.1/64.4.214.128.in-addr.arpa/PTR/IN
> ... and many more ...
>
> The firewall is 192.168.1.1.
>
> But if I do the query on a cached hostname, no such wierdness occurs.
>
> XX+/192.168.1.13/202.1.168.192.in-addr.arpa/PTR/IN
> XX+/192.168.1.13/www.davinci.com/A/IN
>
> My DNS servers are behind the firewall. I use port translation to run the
> DNS through the firewall. The DNS queries complete successfully. I fixed
> the problem with my secondary nameserver not responding (thanks Pete
> Elkhe, my NAT was buggered).
>
> The PTR records the firewall is seeking are mostly for nameservers.
> Sometimes the PTRs the firewall is looking for are not resolvable. The
> PTRs don't seem to be related to the domain in question.
>
> What the heck is my firewall doing looking for those PTR records?
Could you mail the output of ipfw to me. I'll take a look in the
morning if i see something wierd. (I'll prefere this command:
'ipfw s | mail -s 'ipfw & dns' freebsd-reply at akruijff.dds.nl')
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
More information about the freebsd-questions
mailing list