[mdlug] Strange Log Entry

Adam Tauno Williams awilliam at whitemice.org
Fri Apr 12 07:32:33 EDT 2013 

On Fri, 2013-04-12 at 05:03 -0400, Jay Nugent wrote: 
> > I don't know a lot about networking (which is why I'm asking here)
> > but UDP port 53 is for DNS related queries.  It seems that a DNS
> > server (196.21.79.50) is responding to a request from 192.168.0.4
> > with a bad packet.  But the address 192.168.0.4 does not exist
> > on my network.  The only machine that is connected is 192.168.0.2,
> > which is my Linux machine.  (My Windows box is shut off and when
> > connected has a different address.)
> > IOW, if my machine is sending DNS queries (and using pdnsd it is
> > sending them) then the address for any responses from a DNS server
> > should be 192.168.0.2.  Where us this 192.168.0.4 coming from?

Are you relying upon NAT to be a security feature?  Because it is *not*
one;  it is a hack to work around a brokenness of a broken protocol
[IPv4].

"My machines are all connected to a router"

By "router" I assume you mean "firewall".  If so - what are the rules
applied by that firewall+router?  If you see traffic uncorrelated to a
connection you created from anything other than 192.168/16 or 169.254/16
then it is leaking [NAT is not a security feature] or another box on
your network has been compromised and is forging addresses - the
responses to which will leak back out of your network [NAT is not a
security feature] to whomever the intended recipient is [NAT is not a
security feature].

Also each and every box on your internal network should firewall ingress
& egress; do not allow originating connections to a workstation that is
not on a privately numbered subnet [at least for IPv4 traffic; IPv6
doesn't really have private subnets - thank the PTBs!].

It would be interesting to just capture some traffic using Wireshark for
a few minutes and see what you see.  Taking a look at network traffic
with Wireshark every know and then is a good idea anyway,  sometimes you
see things pop-up - like a new printer going ape and constantly spraying
the network with zeroconf notifications, etc...  Wireshark provides a
way to view network traffic that is relatively newbie friendly.

>  Nothing happens in IP atop 802.3 ethernet without ARP.  Check your arp 
> table to determine the MAC address of the ethernet card that sent the 
> packet.

Dumping the ARP table is always a first-ish step in running down weird
ethernet traffic.  

If you see "incomplete" addresses in the ARP then possibly all this is
just a bad cable, switch port, or dieing NIC - it can happen, just a few
bits get twiddled and you can see traffic that never actually came from
somewhere.  But on modern hardware it is extremely rare.

But not that this is IPv4 specific, it stops working with IPv6.

More information about the mdlug mailing list