North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Odd UDP traffic between secondary servers

  • From: Jesse Whyte
  • Date: Mon Oct 19 16:30:24 1998

The environment is fairly typical...one primary DNS server and three
secondary servers. One of the secondary servers is on the same subnet as the
primary DNS server and the other two are distributed across the Wide Area
Network. Of these two remote secondary servers, I see traffic like the
following every day in my access-list violations, where ROUTER-WITH-ACL is
the router protecting the REMOTE-SECONDARY-2...

Oct 11 01:17:07 ROUTER-WITH-ACL 113128: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36070), 1 packet
Oct 11 01:18:37 ROUTER-WITH-ACL 113139: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36075), 1 packet
Oct 11 01:18:42 ROUTER-WITH-ACL 113140: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36076), 1 packet
Oct 11 01:18:47 ROUTER-WITH-ACL 113141: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36077), 1 packet
...
Oct 11 03:05:42 ROUTER-WITH-ACL 113623: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36120), 1 packet
Oct 11 03:05:47 ROUTER-WITH-ACL 113624: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36121), 1 packet
Oct 11 03:05:57 ROUTER-WITH-ACL 113625: 1w3d: %SEC-6-IPACCESSLOGP: list 114
denied udp REMOTE-SECONDARY-1(53) -> REMOTE-SECONDARY-2(36122), 1 packet

As you can see, the destination port increments by one on each attempt and
this entire process occurs over the period of several hours. This traffic is
entirely unidirectional...I do not see any similar traffic on the access
list protecting REMOTE-SECONDARY-1. What is the nature of this traffic and
should I be concerned? It is obviousely not a zone transfer, and there is no
forwarders directive in either config file, so I'm at a loss.

Thanks in advance for your help...

Jesse Whyte
Security Analyst
Office of Information Resources
State of Tennessee
(615)741-8651